Configuring the SPF TXT record of a domain

Once you added a new Microsoft 365 (Office 365) tenant to CodeTwo Admin Panel, the next recommended step is to configure the Sender Policy Framework (SPF) TXT record of your domain.

If you use CodeTwo Email Signatures for Office 365 in server-side mode or combo-mode, your emails are routed through our cloud services located on Microsoft Azure servers. CodeTwo services need to be added to the list of authorized senders for your domain. This list is kept in the Sender Policy Framework (SPF) TXT record. By adding CodeTwo to your SPF record, you declare that you authorized the address of our service to process your mail traffic. This helps to avoid situations when your emails are treated as spam, junk, spoofing, or phishing by Exchange Online Protection (EOP).

Do I have to configure this record myself?

CodeTwo does not have access to your Microsoft 365 login credentials (learn more about data safety) or to your domain registrar. That is why we cannot update your SPF records for you.

If you are not familiar with SPF records and don't know how to change them yourself, ask the person who manages hosting in your organization for help or contact your hosting service provider. 

Use the links below to learn how to configure an SPF record:

Important

If you selected client-side mode when registering your tenant, configuring the Sender Policy Framework (SPF) TXT record is not required.

If you use your own domain

If you have your own domain (e.g. my-company.com), you need to add the CodeTwo Email Signatures for Office 365 domain to your domain's SPF record. This must be done at your domain registrar's DNS configuration; you cannot set this up directly in Microsoft 365.

Important

If you own several domains, you need to configure the CodeTwo SPF record for each domain separately. You only need to configure the SPF record for the domains used to send emails that will get signatures from CodeTwo Email Signatures for Office 365.

However, if possible, we recommend configuring the CodeTwo SPF record for all domains in your organization in case you decide to use any other domain with CodeTwo service in the future. Remember also to configure the SPF record for any new domain added to your Microsoft 365 tenant.

Microsoft 365 requires configuring SPF to prevent spoofing and phishing (learn more). Therefore, as the domain owner, you have probably already added an SPF TXT record for the Microsoft 365 domain at your domain registrar's DNS (if you haven't, follow this article or this general instruction to do so). As a result, your SPF TXT record looks as shown below or similar:

v=spf1 include:spf.protection.outlook.com -all

You need to expand your SPF record by including the following entry (applies only if you selected any geolocation except UAE North when registering your tenant in the CodeTwo Admin Panel):

include:spf.emailsignatures365.com

If you selected the UAE North geolocation, expand your SPF record by including the following entry instead:

include:spf-uae.emailsignatures365.com

This entry includes the SPF address of the CodeTwo Email Azure Service domain. For everything to work correctly, you need to add the exact same entry as specified above. As a result, your SPF record should appear as shown below or similar:

v=spf1 include:spf.protection.outlook.com include:spf.emailsignatures365.com -all

or, in the case of the UAE North geolocation:

v=spf1 include:spf.protection.outlook.com include:spf-uae.emailsignatures365.com -all

Be aware that this is just an example based on the default SPF record configuration for Microsoft 365. Your SPF record may look different. For example, more domains may be included.

Notes

In all cases, your SPF TXT record needs to end with the all phrase. Please pay special attention to the sign (qualifier) which is directly before this phrase. It needs to be a hyphen (so the last entry is -all, as shown in the examples above) if you want all messages that do not fulfill your SPF definitions to be rejected/bounced. Learn more about SPF qualifiers

If you use the onmicrosoft.com domain

If you use the onmicrosoft.com domain (given to you by Microsoft when you first signed up for Microsoft 365) in your organization, e.g. because you are testing a trial Microsoft 365 tenant, you are not able to configure the SPF record yourself. These domains are managed by Microsoft and cannot be changed at your request.

To update the SPF record to work with the CodeTwo software, you need to add your own domain to Microsoft 365 and configure this domain instead, as described earlier.

See next

Configuring Exchange Online connectors - learn how to automatically or manually configure Exchange Online connectors for the program: specify users in your Microsoft 365 organization whose emails will be processed by the CodeTwo Email Azure Service.

Was this information useful?