Email provider

SPF setup for Microsoft 365

SPF authorises IPs and includes for your envelope sender. Microsoft 365 gives you the include: you must add to your domain’s single SPF TXT.

Common mistake: Expecting DKIM to work before the CNAMEs resolve — enable and wait for DNS.

Step by step

Step 1 Microsoft 365 Defender portal → Email & collaboration → Policies & rules → DKIM — or Exchange admin center DKIM for the domain.

Step 2 At Cloudflare, Route 53, or wherever your domain’s zone lives — not inside Microsoft 365’s SPF editor if they don’t host DNS.

Step 3 Merge with your other senders into one v=spf1 line. Example baseline including Microsoft 365:

v=spf1 include:spf.protection.outlook.com ~all

Step 4 If you already have SPF, add include:... before ~all — never publish two SPF TXT records.

Step 5 TTL 300–3600s. Propagation: minutes to an hour depending on resolver.

Step 6 Run DNS Preflight — confirm SPF resolves and lookup count stays under 10. DMARC alignment: DMARC fixes.

DNS Preflight — verify SPF, DKIM, DMARC in one pass.

Open DNS Preflight →

DMARC alignment — fixes when reports show failures.

DMARC fix guides →

FAQ

What SPF include does Microsoft 365 need?

Use the include string on this page — merge into your single SPF TXT with other mail sources.

Can I have two SPF records?

No. Merge into one v=spf1 or receivers return PermError.

Where do I edit SPF?

At your DNS host (Route 53, Cloudflare, etc.) — not always inside the email product.

How do I know it worked?

DNS Preflight shows your SPF string and lookup count.

Why does DMARC still fail?

SPF alone doesn’t align if Return-Path is different — you need DKIM alignment or aligned SPF. See /fix/dmarc/.

← Microsoft 365 hub · All email providers