none
Adding to SPF Record for vendor

    Question

  • We have a vendor that is sending emails from a website using an email address on our domain.  Anyone who is using SPF to filter spam is rejecting these emails.  Now this vendor wants us to add the following to our SPF record:

    include: spf.protection.outlook.com

    My fear in adding this is that anyone using Office 365 for email will now be able to spoof an email address in our domain and send email and those same clients using SPF will now accept that email thinking it is actually from us.  This is not what we want.  Is there any other way to do this?  Thank you for any insight you can give me.

    Tuesday, February 21, 2017 10:26 PM

All replies

  • We have a vendor that is sending emails from a website using an email address on our domain.  Anyone who is using SPF to filter spam is rejecting these emails.  Now this vendor wants us to add the following to our SPF record:

    include: spf.protection.outlook.com

    My fear in adding this is that anyone using Office 365 for email will now be able to spoof an email address in our domain and send email and those same clients using SPF will now accept that email thinking it is actually from us.  This is not what we want.  Is there any other way to do this?  Thank you for any insight you can give me.


    I think you find that all 365 tenants have the same SPF record, so I don't think there is much for concern. Note that 365 tenants cant spoof other tenants. If they do, they will be in violation of the terms. I would also recommend you set up DMARC and DKIM for your domain.

    Blog:    Twitter:   

    Tuesday, February 21, 2017 11:23 PM
  • The reason they want us to add this is so that they can spoof one of our addresses from a website they have for us.  If they want this domain added to our SPF record, I assume they are using Office 365 so if what you say is correct, how are they spoofing our email address sending out?
    Wednesday, February 22, 2017 5:28 PM
  • The reason they want us to add this is so that they can spoof one of our addresses from a website they have for us.  If they want this domain added to our SPF record, I assume they are using Office 365 so if what you say is correct, how are they spoofing our email address sending out?

    I would ask them that. :)


    Blog:    Twitter:   

    Wednesday, February 22, 2017 7:20 PM
  • It could be open relay for this IP or domain.

    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 24, 2017 9:45 AM
    Moderator