Created: 3-24-21
Updated: 3-24-21
A tasks I’m finding myself doing from time to time is ensuring that the SPF records are setup correctly and with the desired outcome. So this article is more or less for reference of this so I don’t forget how to deploy this in the future.
Below I’ll explain a few examples, and if you’d like a SPF calculator, here is one that works well: SPF Generator
1st we need to declare two sets of variables, SPF Mechanisms and SPF Qualifiers
SPF Mechanisms:
| Mechanism | Meaning |
| all | match any host |
| ip4 | matches a single ipv4 address or range |
| ip6 | matches a single ipv6 address or range |
| a | matches a host name or domain name |
| mx | matches against the MX record for the domain |
| ptr | used for reverse DNS that resolves to the IP address of the host names |
| exists | determines if the domain exists |
| include | matches the SPF record of other domains |
SPF Qualifiers:
| Qualifier | Meaning |
| + | Email should be accepted (Pass) |
| – | Email should not be accepted (Fail) |
| ~ | Email can be accepted, typically treated as questionable (Soft Fail) |
| ? | Does nothing (Switzerland) |
Note: Below in the examples are two IP addresses for Exchange servers, be sure you make sure you have your priority’s set in public DNS for the MX records of your Exchange servers, so that is preferred over the other. The lower number is the priority, example: Exch1.mydomain.com with a priority of 10 is the preferred MX record if Exch2.mydomain.com has a priority of 20.
SPF Example 1:
| Accepts emails from the MX Records for the domain | |
| “v=spf1 mx a ~all” | Accepts emails from the IP address the domain resolves to , which is normally a web server or exchange server |
| all others soft fail |
SPF Example 2: (typically use for an On-premise Exchange Server in Hybrid setup connect to O365 Exchange, 56.123.145.67 is the public IP of the mail.mydomain.com address)
| Accepts emails from the public IP address of 56.123.145.67 | |
| “v=spf1 ip4:56.123.145.67 include:spf.protection.outlook.com -all” | Includes the SPF records from Exchange Online Protection |
| All other fail |
SPF Example 3: (typically what you use for O365 Exchange setups were you email is complete in O365 and not in a hybrid setup)
| This is a perfect example of a SPF for those that are completely in O365 Exchange | |
| “v=spf1 include:spf.protection.outlook.com -all” | Includes the SPF records from Exchange Online Protection |
| All other fail |
SPF Example 4: (typically use when you have a solo on-premise Exchange Server that is your MX record working in hybrid mode with O365 Exchange that also is using a SAN UC certificate for a hostname of mail.G15IT.com to send emails – replace G15IT with your domain) – all emails should not be accepted, explicitly
| Accepts emails from the MX record, solo on-premise Exchange Server, of the public IP of 57.120.45.4/32 that can delivery or relay mail for the domain G15IT.com | |
| Using the hostname of mail.G15IT.com for 57.120.45.4 | |
| v=spf1 mx a ip4:57.120.45.4/32 a:mail.G15IT.com include:spf.protection.outlook.com -all | Includes the SPF records from Exchange Online Protection that can deliver or relay mail for the domain G15IT.com |
| All other fail |
SPF Example 5: (typically use when you have a solo on-premise Exchange Server that is your MX record working in hybrid mode with O365 Exchange that also is using a SAN UC certificate for a hostname of mail.G15IT.com to send emails – replace G15IT with your domain) – all emails can be delivered but as considered questionable until proven innocent
| Accepts emails from the MX record, solo on-premise Exchange Server, of 57.120.45.4/32 that can delivery or relay mail for the domain G15IT.com | |
| Using the hostname of mail.G15IT.com for 57.120.45.4 | |
| v=spf1 mx a ip4:57.120.45.4/32 a:mail.G15IT.com include:spf.protection.outlook.com ~all | Includes the SPF records from Exchange Online Protection that can deliver or relay mail for the domain G15IT.com |
| emails can be accepted but as considered questionable until proven innocent |
SPF Example 6: (typically use when you have a pair of DAG’d on-premise Exchange Server that are using your MX records working in hybrid mode with O365 Exchange that also is using a SAN UC certificate for a hostname of mail.G15IT.com to send emails – replace G15IT with your domain)
| Accepts emails from the MX records, of dual DAG’d on-premise Exchange Server, of 57.120.45.4/32 & 57.120.45.5/32 that can delivery or relay mail for the domain G15IT.com | |
| v=spf1 mx a ip4:57.120.45.4/32 ip4:57.120.45.5/32 a:mail.G15IT.com include:spf.protection.outlook.com -all | Using the hostname of mail.G15IT.com for the Exchange DAG’d hosts of 57.120.45.4 & 57.120.45.5 |
| Includes the SPF records from Exchange Online Protection that can deliver or relay mail for the domain G15IT.com | |
| All other fail |