SFP Record for Office 365 anf Hybrid Systems

First of all, we need to ask a question to ourselves. Do we really need it? I would suggest this record to protect your company. However, It is not end of the world if it is not added.

Secondly, please check the definition of SFP record “Helps to prevent other people from using your domain to send spam or other malicious email.”

So, If you want to protect your company, you need to add it.

How it works?


As you can see from the picture that a sender is sending the email to you. Your email server is getting the email and checking the SFP. The Sender ID Framework looks up the SPF record of the domain that Sender is using for sending the mail. The receiving Mail Transfer Agent (MTA) determines if the outbound Mail Server IP address matches IP addresses that are authorized to send mail for the user.

Some possible scenarios for you;

A customer has email system (Exchange, Lotus Notus…) and they don’t have any SFP records. Also, they are trying to migrate the email system to Office 365.

If they create the SFP record before the cut over – migration. Existing system will have trouble.

So, it is better to add the SFP record after the migration.

If you want to add now, then you need to add all your public IP address that your email system is using as SFP record and add Office 365 SFP record as well.

If they have SFP record/records and wants to use Office 365, then don’t delete existing record but just add Office 365 record to your Public DNS.

What is Office 365 SFP record

v=spf1 include:Spf.protection.outlook.com –all


How to add your public IP address?

For example, If you send an email to me and my email server take it. My email system checks its content and firstly, it looks where this email is coming from (mail.sonatyaylali.com) and public IP of this address is 212. 23.34.45.

If this IP address is added to your SFP records, then my email server will say that it is safe and let it go to inside. If it is not added to your SFP, it will be failed. If you don’t have a SFP record then it is pass.

“v=spf1 ip4: 212. 23.34.45-all”

So, still example is continuing and we are assuming that you have this SFP record. What is that?

SPF has been marked with this IP address and if the email sent from this IP address will be accepted, “-all” means it will be failed from all other addresses.


What if you have Hybrid deployment?

So, we use this and protect us v=spf1 include:Spf.protection.outlook.com –all

Hybrid means that you have Exchange server on-promises and there are mailboxes and emails on the server. The IP address of the Exchange server is and you use EOP (Exchange Online Protection) then you need this,

v=spf1 ip4: include:spf.protection.outlook.com -all


Stay tuned!

Sonat Yaylali


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: