Add the correct SPF record to authorize Microsoft 365 (Exchange Online) to send email on behalf of your domain.
TXT
@
v=spf1 include:spf.protection.outlook.com ~all
This is the standard include for all Microsoft 365 / Exchange Online tenants.
Log in to the DNS management portal for your domain (e.g., GoDaddy, Cloudflare, Namecheap, or Microsoft if they manage your DNS).
Look for a TXT record starting with v=spf1. You must have only one SPF record per domain.
dig TXT yourdomain.com +short | grep spfAdd a new TXT record (or modify the existing one) with host @ and the value below.
v=spf1 include:spf.protection.outlook.com ~allDNS changes can take up to 48 hours to propagate, though most providers update within minutes.
Go to the Microsoft 365 Admin Center > Settings > Domains > select your domain > DNS records. Microsoft will check your SPF record and show a green checkmark when valid.
v=spf1 ~allv=spf1 include:spf.protection.outlook.com ~allAfter adding your DNS records, use our free SPF checker to verify everything is configured correctly. DNS changes typically propagate within minutes, but can take up to 48 hours.
You need a TXT record at @ with the value v=spf1 include:spf.protection.outlook.com ~all. This authorizes Exchange Online servers to send email for your domain.
If you run a hybrid Exchange deployment, you need both the Microsoft 365 include and your on-premises server IPs: v=spf1 include:spf.protection.outlook.com ip4:YOUR.SERVER.IP ~all.
Use include:spf.protection.outlook.com for SPF records. The hostname protection.outlook.com (without the spf. prefix) is used for MX records, not SPF.