Windows/Exchange: How to setup SPF records for spam protection

Created: 3-24-21

Updated: 3-24-21

A tasks I’m finding myself doing from time to time is ensuring that the SPF records are setup correctly and with the desired outcome. So this article is more or less for reference of this so I don’t forget how to deploy this in the future. 

Below I’ll explain a few examples, and if you’d like a SPF calculator, here is one that works well: SPF Generator

1st we need to declare two sets of variables, SPF Mechanisms and SPF Qualifiers 

SPF Mechanisms:

MechanismMeaning
allmatch any host
ip4matches a single ipv4 address or range
ip6matches a single ipv6 address or range
amatches a host name or domain name
mxmatches against the MX record for the domain
ptrused for reverse DNS that resolves to the IP address of the host names
existsdetermines if the domain exists
includematches the SPF record of other domains

SPF Qualifiers:

QualifierMeaning
+Email should be accepted (Pass)
Email should not be accepted (Fail)
~Email can be accepted, typically treated as questionable (Soft Fail)
?Does nothing (Switzerland)

Note: Below in the examples are two IP addresses for Exchange servers, be sure you make sure you have your priority’s set in public DNS for the MX records of your Exchange servers, so that is preferred over the other. The lower number is the priority, example: Exch1.mydomain.com with a priority of 10 is the preferred MX record if Exch2.mydomain.com has a priority of 20.

SPF Example 1:

 Accepts emails from the MX Records for the domain
“v=spf1 mx a ~all”Accepts emails from the IP address the domain resolves to , which is normally a web server or exchange server
 all others soft fail

SPF Example 2: (typically use for an On-premise Exchange Server in Hybrid setup connect to O365 Exchange, 56.123.145.67 is the public IP of the mail.mydomain.com address)

 Accepts emails from the public IP address of 56.123.145.67
“v=spf1 ip4:56.123.145.67 include:spf.protection.outlook.com -all”Includes the SPF records from Exchange Online Protection
 All other fail

SPF Example 3: (typically what you use for O365 Exchange setups were you email is complete in O365 and not in a hybrid setup)

 This is a perfect example of a SPF for those that are completely in O365 Exchange
“v=spf1 include:spf.protection.outlook.com -all”Includes the SPF records from Exchange Online Protection
 All other fail


SPF Example 4: (typically use when you have a solo on-premise Exchange Server that is your MX record working in hybrid mode with O365 Exchange that also is using a SAN UC certificate for a hostname of mail.G15IT.com to send emails – replace G15IT with your domain) – all emails should not be accepted, explicitly

 Accepts emails from the MX record, solo on-premise Exchange Server, of the public IP of 57.120.45.4/32 that can delivery or relay mail for the domain G15IT.com
 Using the hostname of mail.G15IT.com for 57.120.45.4
v=spf1 mx a ip4:57.120.45.4/32 a:mail.G15IT.com include:spf.protection.outlook.com -allIncludes the SPF records from Exchange Online Protection that can deliver or relay mail for the domain G15IT.com
 All other fail

SPF Example 5: (typically use when you have a solo on-premise Exchange Server that is your MX record working in hybrid mode with O365 Exchange that also is using a SAN UC certificate for a hostname of mail.G15IT.com to send emails – replace G15IT with your domain) – all emails can be delivered but as considered questionable until proven innocent

 Accepts emails from the MX record, solo on-premise Exchange Server, of 57.120.45.4/32 that can delivery or relay mail for the domain G15IT.com
 Using the hostname of mail.G15IT.com for 57.120.45.4
v=spf1 mx a ip4:57.120.45.4/32 a:mail.G15IT.com include:spf.protection.outlook.com ~allIncludes the SPF records from Exchange Online Protection that can deliver or relay mail for the domain G15IT.com
 emails can be accepted but as considered questionable until proven innocent

SPF Example 6: (typically use when you have a pair of DAG’d on-premise Exchange Server that are using your MX records working in hybrid mode with O365 Exchange that also is using a SAN UC certificate for a hostname of mail.G15IT.com to send emails – replace G15IT with your domain)

 Accepts emails from the MX records, of dual DAG’d on-premise Exchange Server, of 57.120.45.4/32 & 57.120.45.5/32 that can delivery or relay mail for the domain G15IT.com
v=spf1 mx a ip4:57.120.45.4/32 ip4:57.120.45.5/32 a:mail.G15IT.com include:spf.protection.outlook.com -allUsing the hostname of mail.G15IT.com for the Exchange DAG’d hosts of 57.120.45.4 & 57.120.45.5
 Includes the SPF records from Exchange Online Protection that can deliver or relay mail for the domain G15IT.com
 All other fail