Recently I dealt with the case of spam included incorrectly SPF records that have resulted in sent mail failing the SPF check.
There is a common mistake that how companies configured their own SPF record especially when they are working in hybrid mode.
How SPF Work (in a short)
SPF is a DNS record that is published for a domain. This record lists all of the devices in most for ip’s that are allowed to send mail on behalf of the domain. SPF is txt record and designed to help prevent spoofing. SPF can be configured with the following end:
- ~all = If the SPF check fails, the result is a soft failure. Some mail systems may mark a message as spam if it has soft failed an SPF.
- -all = If the SPF check fails, the result is a hard failure. Most mail systems will mark an inbound message as spam if the SPF check results in a hard failure.
In addition you can perform hard fail in SPF to be marked as spam, you can enable the following option in your content filter.
One way to view the SPF record of a domain is to type the following in a command window
nslookup -q=txt elishlomo.us
Configure SPF Record
If you subscribe to Exchange Online and without hybrid to send mail out of the cloud mailboxes, your SPF record will need to be configured as follows.
If you have Exchange Online with hybrid and you are using EOP without cloud mailboxes, you will need to add the IPs of your on-premises mail servers to your SPF. In these situations, if outbound mail is being smart hosted through EOP.
v=spf1 ip4:172.x.x.x include:spf.protection.outlook.com -all
This next bit is very important. If you only take one thing away from this article, it should be this next paragraph.
Note: if you smart host all of your outbound mail through EOP, you will still need to add your on-premises mail servers to your SPF record to ensure receiving partners SPF checks don’t fail against your domain.