Windows/Exchange: How to setup SPF records for spam protection

Created: 3-24-21

Updated: 3-24-21

A tasks I’m finding myself doing from time to time is ensuring that the SPF records are setup correctly and with the desired outcome. So this article is more or less for reference of this so I don’t forget how to deploy this in the future. 

Below I’ll explain a few examples, and if you’d like a SPF calculator, here is one that works well: SPF Generator

1st we need to declare two sets of variables, SPF Mechanisms and SPF Qualifiers 

SPF Mechanisms:

Mechanism Meaning
all match any host
ip4 matches a single ipv4 address or range
ip6 matches a single ipv6 address or range
a matches a host name or domain name
mx matches against the MX record for the domain
ptr used for reverse DNS that resolves to the IP address of the host names
exists determines if the domain exists
include matches the SPF record of other domains

SPF Qualifiers:

Qualifier Meaning
+ Email should be accepted (Pass)
Email should not be accepted (Fail)
~ Email can be accepted, typically treated as questionable (Soft Fail)
? Does nothing (Switzerland)

Note: Below in the examples are two IP addresses for Exchange servers, be sure you make sure you have your priority’s set in public DNS for the MX records of your Exchange servers, so that is preferred over the other. The lower number is the priority, example: Exch1.mydomain.com with a priority of 10 is the preferred MX record if Exch2.mydomain.com has a priority of 20.

SPF Example 1:

  Accepts emails from the MX Records for the domain
“v=spf1 mx a ~all” Accepts emails from the IP address the domain resolves to , which is normally a web server or exchange server
  all others soft fail

SPF Example 2: (typically use for an On-premise Exchange Server in Hybrid setup connect to O365 Exchange, 56.123.145.67 is the public IP of the mail.mydomain.com address)

  Accepts emails from the public IP address of 56.123.145.67
“v=spf1 ip4:56.123.145.67 include:spf.protection.outlook.com -all” Includes the SPF records from Exchange Online Protection
  All other fail

SPF Example 3: (typically what you use for O365 Exchange setups were you email is complete in O365 and not in a hybrid setup)

  This is a perfect example of a SPF for those that are completely in O365 Exchange
“v=spf1 include:spf.protection.outlook.com -all” Includes the SPF records from Exchange Online Protection
  All other fail


SPF Example 4: (typically use when you have a solo on-premise Exchange Server that is your MX record working in hybrid mode with O365 Exchange that also is using a SAN UC certificate for a hostname of mail.G15IT.com to send emails – replace G15IT with your domain) – all emails should not be accepted, explicitly

  Accepts emails from the MX record, solo on-premise Exchange Server, of the public IP of 57.120.45.4/32 that can delivery or relay mail for the domain G15IT.com
  Using the hostname of mail.G15IT.com for 57.120.45.4
v=spf1 mx a ip4:57.120.45.4/32 a:mail.G15IT.com include:spf.protection.outlook.com -all Includes the SPF records from Exchange Online Protection that can deliver or relay mail for the domain G15IT.com
  All other fail

SPF Example 5: (typically use when you have a solo on-premise Exchange Server that is your MX record working in hybrid mode with O365 Exchange that also is using a SAN UC certificate for a hostname of mail.G15IT.com to send emails – replace G15IT with your domain) – all emails can be delivered but as considered questionable until proven innocent

  Accepts emails from the MX record, solo on-premise Exchange Server, of 57.120.45.4/32 that can delivery or relay mail for the domain G15IT.com
  Using the hostname of mail.G15IT.com for 57.120.45.4
v=spf1 mx a ip4:57.120.45.4/32 a:mail.G15IT.com include:spf.protection.outlook.com ~all Includes the SPF records from Exchange Online Protection that can deliver or relay mail for the domain G15IT.com
  emails can be accepted but as considered questionable until proven innocent

SPF Example 6: (typically use when you have a pair of DAG’d on-premise Exchange Server that are using your MX records working in hybrid mode with O365 Exchange that also is using a SAN UC certificate for a hostname of mail.G15IT.com to send emails – replace G15IT with your domain)

  Accepts emails from the MX records, of dual DAG’d on-premise Exchange Server, of 57.120.45.4/32 & 57.120.45.5/32 that can delivery or relay mail for the domain G15IT.com
v=spf1 mx a ip4:57.120.45.4/32 ip4:57.120.45.5/32 a:mail.G15IT.com include:spf.protection.outlook.com -all Using the hostname of mail.G15IT.com for the Exchange DAG’d hosts of 57.120.45.4 & 57.120.45.5
  Includes the SPF records from Exchange Online Protection that can deliver or relay mail for the domain G15IT.com
  All other fail