Link to home
Start Free TrialLog in
Avatar of philb19

asked on

spf record which server/s do i add to dns reccord

SPF record - our MX is to a  third party it then forwards to O365. What do I put in the spf dns record - the third party server IP only - or do i also need to put in O365 email server (MS server) Thanks
Avatar of Mahesh
Flag of India image

Its not about receiving servers

SPF need to be specified based on outgoing servers IP addresses

I believe Your outbpund traffic is from O365 only, so Default O365 SPF should suffice the requirement

If again outbould traffic flown from O365 to 3rd party and from there to internet , then 3rd party server will send / forward those mails to internet and your domain SPF should contains 3rd party SPF included

Such as :
V=spf1 ~all

Because receiving servers on internet check 1st server entry (rfc 5321 / return path)

If you want you can add O365 as additional included entry but its not required
Avatar of philb19


thanks very much another question then - on the third party email portal there is a check box (not ticked at the moment) to do a SPF lookup
for spoofed domains that it has listed as internal (ie our domain name- is in that list) - what are they doing when i check to enable this - Are they then going to my DNS servers and checking for SPF record. - now as email is forwared on only from o365 to them from our domain (o365 users)
would they then not expect to see the o365 email server IP/name in the DNS SPF record? (otherwise they would mark as SPAM/spoofed?)
Am I reading this correctly? TA
Its actually not required as they should have entire O365 ip whitelisted against you / other O365 customers
If mail from your domain appears from IPs outside O365 IP range, it should considered as spoofed

Else you can add o365 spf as included lookup in your domain SPF record in addition to service provider spf / ip range
There is no harm in that
A bit complex.

For example, let's say you're relaying mail through MailGun for high deliverability.

Then MailGun IPs will be sending mail on behalf of your sending domain.

So... MailGun will provide you with an SPF record, which you then add to the DNS of your sending domain.

Every IP sending mail on your behalf, must be covered by an SPF record in DNS for your sending domain. This authenticates a given IP may send mail on your behalf, so Mailbox Providers (Google, Apple, Yahoo, etc) can quickly differentiate between spam + ham (good mail).

You'll also require DKIM DNS records + DKIM signing of each message + a DMARC DNS record to set enforcement levels.

A bit complex.
Avatar of philb19


Thanks DAvid + Muhash - Muhash are you saying that not ticking it (not required to tick) or spf with o365 not required?- with it unticked are they still whitelisting all O365 IP/s  thanks
That is something you need to check with service provider
I have worked with Sendgrid
They don't care about my spf

However better you include o365 spf in addition to service provider SPF in your spf, it is useful if you are using domain authentication or wanted to use in future including DMARC, meaning though service providers send emails on behalf of you, the mail from (rfc 5321) will resolved to your domain but use Service provider IPs

Look at below article to understand how SPF and DKIM works in smtp service providers / smart host scenario
Avatar of Edmond Hawila
Edmond Hawila
Flag of Cyprus image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SPF Records are not "required", as in they don't affect your sending or receiving mail flow.
In here you can specify email servers you acknowledge are sending on behalf of your domain.
If you send an email and a recipient has a SPAM Filtering service it will check your SPF records to ensure this is a verified server sending on your domain's behalf. If the server that sent the email from your domain isn't listed in your SPF the SPAM filter will mark it as SPAM.

SPF records does required as it will impact outbound mail flow, without SPF, its high possibilities your messages can go in spam

If you are using SMTP service provider, for SPF checking, Recipient domain only cares about RFC 5321 (mail from or you can say return path) domain which is different from RFC 5322 (this is your SMTP domain which is actually seen by recipients in there mail clients)
When smtp service providers are used, provider domain will be used as RFC 5321 (return path) domain along with provider public IP and SPF will be validated against this IP and return path domain. If IP  belongs to SPF record of provider domain, SPF will be passed.
Recipient domain then does not care if actual sender (RFC 5322) is different from return path domain which is validated for SPF
You can see many promotional emails in gmail or any other clients where sender looks like via

So the point is, its not mandatory that SMTP service provider SPF must be included to your domain SPF with one exception, infact smart host services are there to serve you even if you don't have SPF / DKIM records at all

Now if you published or wanted to publish DMARC for your domain, then its mandatory that either SPF or DKIM must pass to original sending domain, this enforcement is required to stop spoofed emails
to comply with this requirement, you need to under go domain authentication against smart host service providers and they provide you some CNAME records which need to be created in your SMTP domain public DNS zone

Now when your server forward emails to smtp service provider, it replace mail from (RFC 5321) domain with CNAME entry you created earlier
hence recipient system forced to check SPF against your SMTP domain and in that case you do include smtp service provider SPF to your SPF record

Check with your service provider if he needs that your domain must have SPF, in that case you are forced to add O365 SPF record, else its optional.
I suggested you to add service provider SPF along with O365 SPF so that you will not come in issues if tomorrow you wanted to send emails directly to internet or you decided to publish DMARC record along with DKIM to build domain reputation
Avatar of philb19


Thanks all - Ive just placed in using IP (NAT address we relay out) and 3 third parties that send email - seems ok