Updating the SPF record for your domain

Your organization should already have an SPF record for your domains registered with Microsoft Office 365. You need to update this record in the DNS zone for the relevant domain.

You can replace your existing SPF record or add to it, depending on your requirements.

It is normal to replace the record. However, if your outbound email is being routed through Sophos Email and Office 365 simultaneously for a period, you can add an include statement for Sophos Email to your existing SPF record.

You can use the all parameter in different ways. You must understand how to do this and the implications of your choice.

  • Hard fail:

    You can use a dash (-) before the all parameter for a hard fail. If your mail isn't sent from Sophos Email, and your recipients' mail servers carry out SPF checks, they will reject your mail.

  • Soft fail:

    You can use a tilde (~) before the all parameter instead, for a soft fail. The command won't fail if an IP address doesn't exist, it continues and processes the rest of the IP addresses. If your recipients' mail servers carry out SPF checks, they won't reject your mail.

For more information on soft and hard fails, see How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing

Replacing your SPF record

If your outbound email is only routed through Sophos Email you can use the Sophos Email SPF record.

  • Remove v=spf1 include:spf.protection.outlook.com –all.
  • If you are certain that you do not have any third parties sending mail on your behalf, and all your outbound mail is routed through Sophos Email, you can set your record to:

    v=spf1 include:_spf.prod.hydra.sophos.com -all

  • If you aren't routing all your email through us, or you are unsure, use a soft fail:

    v=spf1 include:_spf.prod.hydra.sophos.com ~all

Adding to your SPF record

If your outbound email is being routed through Sophos Email and Office 365 simultaneously for a period, you can leave the original SPF record, and add an include statement for Sophos Email.

To use an include statement to add the Sophos Email record to your existing record, do as follows:

Existing SPF: v=spf1 include:spf.protection.outlook.com -all

Example with include: SPF: v=spf1 include:spf.protection.outlook.com include:_spf.prod.hydra.sophos.com -all

We recommend you replace your include statement with the Sophos Email SPF record once all your outbound email is routed through us.