When dealing with Microsoft 365 Email configuration you will find that Microsoft requires that your organization setup an SPF (Sender Policy Framework) record to go along with your Exchange Online tenant.  This is a DNS text record that allows Microsoft 365 Email messaging servers to be allowed to send email for your domain.  Let’s cover what you need to know about getting started with Microsoft 365 SPF Records.

The record you added to external DNS looks like this. v=spf1 include:spf.protection.outlook.com -all

Microsoft 365 Email SPF Records are all I need right?

Wrong!  As more and more cloud providers emerge with software as a service that can send email on behalf of your organization we slowly start to run into issues with the SPF record.  The issue with an SPF record is that it is limited to no more than 10 DNS based names per record, and IP addresses are unlimited.  What I am finding as I work with these records is that SaaS providers that use DNS based names can consume multiple records if they have similar sub records.  So, one company that I allow to send email on behalf of my organization can take up several of my 10 DNS based names per record.  Once your organization is at 10 entries you either need to do IP addresses, or you are stuck without any additional options for allowing entities to send email on behalf of your organization without it being blocked by spam filters.

Also keep in mind that you can only have one SPF record for your sending domain which I am finding can be somewhat limiting.

What else can be done?

The nice thing about the topic of sending email on behalf of an organization is that there is more that you can do if you are prepared.  There are two more items for consideration and they fall under the topic of “brand protection”.  DMARC and DKIM.  Now you may look at those things and say what does this mean.  Well let’s discuss this next.

Microsoft 365 Email and DMARC

DMARC (Domain-Based Message Authentication, Reporting, and Conformance) to your external DNS record.  DMARC is a protocol that can be used to detect and prevent fraudulent email messages from sending or being delivered. DMARC records should initially be configured to run in a “monitoring” mode, so that you can analyze the data before setting up and form of hard failure. DMARC works best when using a 3rd party solution for reporting.  Without this solution, there is no other way to collect data about brand abuse.

The syntax of a DMARC record setup for monitoring only will typically look like this:

Name: _dmarc.domainname.com

Type: TXT

V=DMARC1;p=none;fo=1;rua=mailto:[email protected]

DMARC once enabled, can allow your organization to use SPF or something else called DKIM signing to allow other entities to send on behalf of your organization.  Let’s dive into DKIM next.

DKIM

DKIM is a way to electronically sign email messages sent by your organization.  DKIM in its simplest form adds a “signature” to your email message header when your valid email messages leave your organization on its way to its intended recipient.   This signature should be enabled within your email gateway product for each of your email sending domains.  It is important to not though that this signature doesn’t completely work until you add a TXT record to your externally facing DNS that includes this signature.  This record will look similar to what is shown below.

domainname._domainkey.domainname.com

v=DKIM1;k=rsa; t=s; p=ABCiJKLgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx2lmftvQ
TIkIEWQniuSnLXZTQfKoq5PIc7XKNAj7i8zzLljCghlm5Cou1CNRu0ckxHBC9rOpV+cPAyZ9gF
qXS5EluzAJY5ydXd4/28gcaGi5tWOCtQckTm27T82ni8Xm3Yyk3ttV2m9ijfFZh39nYPXikm5v
S+mDDvm1/kWnf9CxzNNlsKeQBnKs+6YO7oa9rk++yNSY91hAPVBDvpPEZVGJlHnTE+nPywCUFs
BMYpRdYBt4TIBtazoKSvUA86U2J5Lqn82DK1xMk645MrvjW1CQ8EqjmJAyUpM1CxmuPyYnRswB
agz/lt5V4SJKoJbKaPF19G+Nb/jE6eeYMi2MiwIHDILE

DKIM signing is simple and is one of the best ways to validate that the email your organization is sending is yours.  Now take this a step further, and ask your SaaS providers to generate a DKIM signature for the email they are sending on behalf of you.  Put the DKIM signature in a DNS record, and this can now be used in place of SPF.

Concluding Thoughts on Microsoft 365 Email SPF

For Microsoft 365 Email SPF records and spoofing prevention you will need more than SPF configuration. The only way this all will all work is if DMARC is in place looking at both DKIM and SPF to validate that an email sent is really yours.  DMARC is what allows the ability to use SPF or DKIM instead of both.  This provides you the ability to free up some of your DNS text record, or save room on the SPF record for the next scenario where using the SPF record cannot be avoided.

Brand protection is a must and this is how you get started with Microsoft 365 SPF Records!

 

Keep learning with some of our other M365 content here!