Configuring SPF records

Once you added a new Office 365 tenant to CodeTwo Admin Panel, the next recommended step is to configure your Sender Policy Framework (SPF) records.

If you use CodeTwo Email Signatures for Office 365, your emails are routed through our cloud services located on Microsoft Azure servers. CodeTwo services need to be added to the list of authorized senders for your domain. This list is kept in the Sender Policy Framework (SPF) records. By adding CodeTwo to your SPF records you declare that you authorized the address of our service to process your mail traffic. This helps to avoid situations when your emails are treated as spam, junk or phishing by Exchange Online Protection (EOP).

Use the links below to learn how to configure SPF records:

Why do I have to configure these records myself?

CodeTwo does not have access to your Office 365 login credentials (learn more about data safety) or to your domain registrar. That is why you need to edit the SPF records yourself.

If you use your own domain

If you have your own (vanity) domain (e.g., and this is most likely the case, you must add an SPF record for the CodeTwo Email Signatures for Office 365 domain in the DNS. This must be done at your domain registrar's DNS configuration, it is not possible from within the Office 365 configuration (see Office 365 support on that).


If you own several domains, you need to configure the CodeTwo SPF record for each domain separately.

As a domain owner, you probably already added an SPF record for the Office 365 domain at your domain registrar's DNS by following this article, this general instruction or one of the customized instructions here. So, your SPF records that include the Office 365 domain look most likely as below:

v=spf1 -all

You need to expand your records to include the SPF address of the CodeTwo Azure Service domain:

After you edit your records by adding an appropriate entry from above, these records should appear as shown below or similar (note that this example includes the SPF address of the version for global Office 365). Remember to place our SPF entry before -all.

v=spf1 -all


Be aware that this is just an example based on the default SPF records configuration after applying changes suggested by Microsoft. Your SPF records may look different, for example more domains may already be included.

Please pay special attention to the sign (qualifier) which is directly before the all phrase. It must be a hyphen (so the last entry is -all, as shown in the examples above) if you want all messages that do not fulfill your SPF definitions to be rejected/bounced.
Learn more about SPF qualifiers

If you use the domain

When you use the domain (given to you by Microsoft when you first signed up for Office 365) in your Office 365 organization, you are not able to configure the SPF records yourself, because these domains are managed by Microsoft.

To finish the configuration of  SPF records, you can:

  • contact Microsoft and ask them to update your SPF records (see the instructions above);
  • use your own domain instead - this is the recommended approach.

See next

Configuring Exchange Online connectors - learn how to automatically or manually configure Exchange Online connectors for the program: specify users in your Office 365 whose emails will be processed by the CodeTwo Email Azure Service.

Was this information useful?