Configuring the SPF TXT record of a domain
If you use CodeTwo Email Signatures 365 in cloud (server-side) or combo mode, your emails are routed through our cloud services located on Microsoft Azure servers. CodeTwo services need to be added to the list of authorized senders for your domain. This list is kept in the Sender Policy Framework (SPF) TXT record. By adding CodeTwo to your SPF record, you declare that you authorized the address of our service to process your mail traffic. This helps to avoid situations when your emails are treated as spam, junk, spoofing, or phishing by Exchange Online Protection (EOP). The same services are also used to send automatic replies generated by Autoresponder.
Do I have to configure this record myself?
CodeTwo does not have access to your Microsoft 365 sign-in credentials (learn more about data safety) or to your domain registrar. That is why we cannot update your SPF record for you.
If you are not familiar with SPF and don't know how to change it yourself, ask the person who manages hosting in your organization for help or contact your hosting service provider.
Important: If you selected Outlook (client-side) mode when registering your tenant, the configuration of the SPF TXT record is not required.
Use the links below to learn how to configure an SPF record:
Configure an SPF record for your own domain
If you have your own domain (e.g. my-company.com), you need to add the CodeTwo Email Signatures 365 domain to your domain's SPF record. This must be done at your domain registrar's DNS configuration; you cannot set this up directly in Microsoft 365.
A single domain can have only one SPF record. If you have already configured the SPF record for your domain, do not create a separate one for CodeTwo Email Signatures 365 to avoid SPF authentication and mail flow issues. Instead, expand your existing record with an appropriate entry listed below.
If you own several domains, you need to update the SPF record for each domain separately. You only need to reconfigure the SPF record for the domains used to send emails that will get signatures from CodeTwo Email Signatures 365.
However, if possible, we recommend updating the SPF records for all domains in your organization in case you decide to use any other domain with the CodeTwo service in the future. Remember also to configure the SPF record for any new domain added to your Microsoft 365 tenant.
Microsoft 365 requires configuring SPF to prevent spoofing and phishing (learn more). Therefore, as the domain owner, you have probably already added an SPF TXT record for the Microsoft 365 domain at your domain registrar's DNS (if you haven't, follow this article or this general instruction to do so). As a result, your SPF TXT record looks as shown below or similar:
v=spf1 include:spf.protection.outlook.com -all
You need to expand your existing SPF record (do not create a new record) by including an entry that corresponds to the Azure region you selected when registering your tenant. You will find the correct entry by accessing your tenant's settings in CodeTwo Admin Panel (on the Tenants page, select your tenant and then go to SPF record, as shown in Fig. 1.) or below in the article.
Fig. 1. CodeTwo Admin Panel – finding the entry that needs to be added to the SPF record of your tenant.
Germany West Central
North Central US
This entry includes the SPF address of the CodeTwo cloud service domain. For everything to work correctly, you need to add the exact same entry as specified above.
If you selected the North Central US region, your SPF record should appear as shown below or similar:
v=spf1 include:spf.protection.outlook.com include:spf-us.emailsignatures365.com -all
And in the case of the UAE North region:
v=spf1 include:spf.protection.outlook.com include:spf-uae.emailsignatures365.com -all
Be aware that this is just an example based on the default SPF record configuration for Microsoft 365. Your SPF record may look different. For example, more domains may be included.
In all cases, your SPF TXT record needs to end with the all phrase. Please pay special attention to the sign (qualifier) which is directly before this phrase. It needs to be a hyphen (so the last entry is -all, as shown in the examples above) if you want all messages that do not fulfill your SPF definitions to be rejected/bounced. Learn more about SPF qualifiers
How to access and edit the SPF record with your domain registrar
To learn how to access and edit the SPF (TXT) record with your domain registrar, click the appropriate link below:
If your registrar is not listed above, refer to their support pages or contact them directly to get the relevant guidelines.
SPF configuration for the onmicrosoft.com domain
If you use the onmicrosoft.com domain (given to you by Microsoft when you first signed up for Microsoft 365) in your organization, e.g. because you are testing a trial Microsoft 365 tenant, you are not able to configure the SPF record yourself. These domains are managed by Microsoft and cannot be changed at your request.
To update the SPF record to work with the CodeTwo software, you need to add your own domain to Microsoft 365 and configure this domain instead, as described earlier.
Configuring Exchange Online connectors - learn how to automatically or manually configure Exchange Online connectors for the program: specify users in your Microsoft 365 organization whose emails will be processed by the CodeTwo service.