spf record which server/s do i add to dns reccord

SPF record - our MX is to a  third party it then forwards to O365. What do I put in the spf dns record - the third party server IP only - or do i also need to put in O365 email server (MS server) Thanks
LVL 1
philb19Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
Its not about receiving servers

SPF need to be specified based on outgoing servers IP addresses

I believe Your outbpund traffic is from O365 only, so Default O365 SPF should suffice the requirement

If again outbould traffic flown from O365 to 3rd party and from there to internet , then 3rd party server will send / forward those mails to internet and your domain SPF should contains 3rd party SPF included

Such as :
V=spf1 include:3rdparty.com ~all

Because receiving servers on internet check 1st server entry (rfc 5321 / return path)

If you want you can add O365 as additional included entry but its not required
philb19Author Commented:
thanks very much another question then - on the third party email portal there is a check box (not ticked at the moment) to do a SPF lookup
for spoofed domains that it has listed as internal (ie our domain name- is in that list) - what are they doing when i check to enable this - Are they then going to my DNS servers and checking for SPF record. - now as email is forwared on only from o365 to them from our domain (o365 users)
would they then not expect to see the o365 email server IP/name in the DNS SPF record? (otherwise they would mark as SPAM/spoofed?)
Am I reading this correctly? TA
MaheshArchitectCommented:
Its actually not required as they should have entire O365 ip whitelisted against you / other O365 customers
If mail from your domain appears from IPs outside O365 IP range, it should considered as spoofed

Else you can add o365 spf as included lookup in your domain SPF record in addition to service provider spf / ip range
There is no harm in that
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
A bit complex.

For example, let's say you're relaying mail through MailGun for high deliverability.

Then MailGun IPs will be sending mail on behalf of your sending domain.

So... MailGun will provide you with an SPF record, which you then add to the DNS of your sending domain.

Every IP sending mail on your behalf, must be covered by an SPF record in DNS for your sending domain. This authenticates a given IP may send mail on your behalf, so Mailbox Providers (Google, Apple, Yahoo, etc) can quickly differentiate between spam + ham (good mail).

You'll also require DKIM DNS records + DKIM signing of each message + a DMARC DNS record to set enforcement levels.

A bit complex.
philb19Author Commented:
Thanks DAvid + Muhash - Muhash are you saying that not ticking it (not required to tick) or spf with o365 not required?- with it unticked are they still whitelisting all O365 IP/s  thanks
MaheshArchitectCommented:
That is something you need to check with service provider
I have worked with Sendgrid
They don't care about my spf

However better you include o365 spf in addition to service provider SPF in your spf, it is useful if you are using domain authentication or wanted to use in future including DMARC, meaning though service providers send emails on behalf of you, the mail from (rfc 5321) will resolved to your domain but use Service provider IPs

Look at below article to understand how SPF and DKIM works in smtp service providers / smart host scenario

https://www.experts-exchange.com/articles/32747/Azure-SMTP-Restrictions-Resolution-with-SMTP-Relay-Services.html
Edmond HawilaChief Operating OfficerCommented:
Hi,

Let me clear this a bit for you.

MX records specify where email sent to your domain should be delivered to. So your MX record is your receiving email server, ie. Office365.
It has nothing to do with emails you send, it is only relevant for incoming emails.

SPF Records are not "required", as in they don't affect your sending or receiving mail flow.
In here you can specify email servers you acknowledge are sending on behalf of your domain.
If you send an email and a recipient has a SPAM Filtering service it will check your SPF records to ensure this is a verified server sending on your domain's behalf. If the server that sent the email from your domain isn't listed in your SPF the SPAM filter will mark it as SPAM.
I the recipient doesn't have a SPAM filtering service they will receive the email without ever checking your SPF records and it will not care if this is SPAM or not.

The official definition of SPF records:
Sender Policy Framework (SPF) is an anti-spam approach in which the Internet domain of an e-mail sender can be authenticated for that sender, thereby discouraging spam mailers, who routinely disguise the origin of their e-mail, a practice known as e-mail spoofing.

It is the recommended practice to set SPF records. You should include dns entries or IPs that are sending on your behalf of your domain.
ie. Office365 SPF records look like this: "v=spf1 include:spf.protection.outlook.com ~all"

If you have any service sending emails on your behalf it should be included. Things like MailChimp or a Scan-to-Email service then you should be adding the IP address or dns name the service will be sending emails from. If a copier in your network is configured to scan-to-email then you should be adding the external IP of your internet connection. If your extenal ip is 111.222.333.44 then it should look something like this: "v=spf1 include:spf.protection.outlook.com include:111.222.333.44 ~all"
On top of that if you want to include/allow MailChimp, which had a dns name for their mailservers which is servers.mcsv.net then it should look like this:
"v=spf1 include:spf.protection.outlook.com include:111.222.333.44 include:servers.mcsv.net ~all"

I hope this makes things clearer to you of how things work and what they are for.

Let me know if you need any clarification.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
SPF Records are not "required", as in they don't affect your sending or receiving mail flow.
In here you can specify email servers you acknowledge are sending on behalf of your domain.
If you send an email and a recipient has a SPAM Filtering service it will check your SPF records to ensure this is a verified server sending on your domain's behalf. If the server that sent the email from your domain isn't listed in your SPF the SPAM filter will mark it as SPAM.

SPF records does required as it will impact outbound mail flow, without SPF, its high possibilities your messages can go in spam

If you are using SMTP service provider, for SPF checking, Recipient domain only cares about RFC 5321 (mail from or you can say return path) domain which is different from RFC 5322 (this is your SMTP domain which is actually seen by recipients in there mail clients)
When smtp service providers are used, provider domain will be used as RFC 5321 (return path) domain along with provider public IP and SPF will be validated against this IP and return path domain. If IP  belongs to SPF record of provider domain, SPF will be passed.
Recipient domain then does not care if actual sender (RFC 5322) is different from return path domain which is validated for SPF
You can see many promotional emails in gmail or any other clients where sender looks like user@domain.com via smtp.smarthostservice.net

So the point is, its not mandatory that SMTP service provider SPF must be included to your domain SPF with one exception, infact smart host services are there to serve you even if you don't have SPF / DKIM records at all

Now if you published or wanted to publish DMARC for your domain, then its mandatory that either SPF or DKIM must pass to original sending domain, this enforcement is required to stop spoofed emails
to comply with this requirement, you need to under go domain authentication against smart host service providers and they provide you some CNAME records which need to be created in your SMTP domain public DNS zone

Now when your server forward emails to smtp service provider, it replace mail from (RFC 5321) domain with CNAME entry you created earlier
hence recipient system forced to check SPF against your SMTP domain and in that case you do include smtp service provider SPF to your SPF record

@OP:
Check with your service provider if he needs that your domain must have SPF, in that case you are forced to add O365 SPF record, else its optional.
I suggested you to add service provider SPF along with O365 SPF so that you will not come in issues if tomorrow you wanted to send emails directly to internet or you decided to publish DMARC record along with DKIM to build domain reputation
philb19Author Commented:
Thanks all - Ive just placed in using IP (NAT address we relay out) and 3 third parties that send email - seems ok
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.