Einrichten von SPF zum Verhindern von SpoofingSet up SPF to help prevent spoofing

Summary: This article describes how to update a Domain Name Service (DNS) record so that you can use Sender Policy Framework (SPF) with your custom domain in Office 365.Summary: This article describes how to update a Domain Name Service (DNS) record so that you can use Sender Policy Framework (SPF) with your custom domain in Office 365. Using SPF helps to validate outbound email sent from your custom domain.Using SPF helps to validate outbound email sent from your custom domain.

In order to use a custom domain, Office 365 requires that you add a Sender Policy Framework (SPF) TXT record to your DNS record to help prevent spoofing.In order to use a custom domain, Office 365 requires that you add a Sender Policy Framework (SPF) TXT record to your DNS record to help prevent spoofing. SPF identifies which mail servers are allowed to send mail on your behalf.SPF identifies which mail servers are allowed to send mail on your behalf. Basically, SPF, along with DKIM, DMARC, and other technologies supported by Office 365, help prevent spoofing and phishing.Basically, SPF, along with DKIM, DMARC, and other technologies supported by Office 365, help prevent spoofing and phishing. SPF is added as a TXT record that is used by DNS to identify which mail servers can send mail on behalf of your custom domain.SPF is added as a TXT record that is used by DNS to identify which mail servers can send mail on behalf of your custom domain. Recipient mail systems refer to the SPF TXT record to determine whether a message from your custom domain comes from an authorized messaging server.Recipient mail systems refer to the SPF TXT record to determine whether a message from your custom domain comes from an authorized messaging server.

For example, let's say that your custom domain contoso.com uses Office 365.For example, let's say that your custom domain contoso.com uses Office 365. You add an SPF TXT record that lists the Office 365 messaging servers as legitimate mail servers for your domain.You add an SPF TXT record that lists the Office 365 messaging servers as legitimate mail servers for your domain. When the receiving messaging server gets a message from joe@contoso.com, the server looks up the SPF TXT record for contoso.com and finds out whether the message is valid.When the receiving messaging server gets a message from joe@contoso.com, the server looks up the SPF TXT record for contoso.com and finds out whether the message is valid. If the receiving server finds out that the message comes from a server other than the Office 365 messaging servers listed in the SPF record, the receiving mail server can choose to reject the message as spam.If the receiving server finds out that the message comes from a server other than the Office 365 messaging servers listed in the SPF record, the receiving mail server can choose to reject the message as spam.

Also, if your custom domain does not have an SPF TXT record, some receiving servers may reject the message outright.Also, if your custom domain does not have an SPF TXT record, some receiving servers may reject the message outright. This is because the receiving server cannot validate that the message comes from an authorized messaging server.This is because the receiving server cannot validate that the message comes from an authorized messaging server.

If you've already set up mail for Office 365, then you have already included Microsoft's messaging servers in DNS as an SPF TXT record.If you've already set up mail for Office 365, then you have already included Microsoft's messaging servers in DNS as an SPF TXT record. However, there are some cases where you may need to update your SPF TXT record in DNS.However, there are some cases where you may need to update your SPF TXT record in DNS. For example:For example:

  • Previously, you had to add a different SPF TXT record to your custom domain if you were using SharePoint Online.Previously, you had to add a different SPF TXT record to your custom domain if you were using SharePoint Online. This is no longer required.This is no longer required. This change should reduce the risk of SharePoint Online notification messages ending up in the Junk Email folder.This change should reduce the risk of SharePoint Online notification messages ending up in the Junk Email folder. Update your SPF TXT record if you are hitting the 10 lookup limit and receiving errors that say things like, "exceeded the lookup limit" and "too many hops".Update your SPF TXT record if you are hitting the 10 lookup limit and receiving errors that say things like, "exceeded the lookup limit" and "too many hops".

  • Wenn Sie eine Hybridumgebung mit Office 365 und Exchange (lokal) haben.If you have a hybrid environment with Office 365 and Exchange on-premises.

  • Sie möchten DKIM und DMARC einrichten (empfohlen).You intend to set up DKIM and DMARC (recommended).

Aktualisieren Ihres SPF TXT-Eintrags für Office 365Updating your SPF TXT record for Office 365

Before you update the TXT record in DNS, you need to gather some information and determine the format of the record.Before you update the TXT record in DNS, you need to gather some information and determine the format of the record. This will help prevent you from generating DNS errors.This will help prevent you from generating DNS errors. For advanced examples and a more detailed discussion about supported SPF syntax, see How SPF works to prevent spoofing and phishing in Office 365.For advanced examples and a more detailed discussion about supported SPF syntax, see How SPF works to prevent spoofing and phishing in Office 365.

Sammeln Sie folgende Informationen:Gather this information:

  • The current SPF TXT record for your custom domain.The current SPF TXT record for your custom domain. For instructions, see Gather the information you need to create Office 365 DNS records.For instructions, see Gather the information you need to create Office 365 DNS records.

  • External IP addresses of all on-premises messaging servers.External IP addresses of all on-premises messaging servers. For example, 131.107.2.200.For example, 131.107.2.200.

  • Domain names to use for all third-party domains that you need to include in your SPF TXT record.Domain names to use for all third-party domains that you need to include in your SPF TXT record. Some bulk mail providers have set up subdomains to use for their customers.Some bulk mail providers have set up subdomains to use for their customers. For example, the company MailChimp has set up servers.mcsv.net.For example, the company MailChimp has set up servers.mcsv.net.

  • Determine what enforcement rule you want to use for your SPF TXT record.Determine what enforcement rule you want to use for your SPF TXT record. We recommend -all.We recommend -all. For detailed information about other syntax options, see SPF TXT record syntax for Office 365.For detailed information about other syntax options, see SPF TXT record syntax for Office 365.

So aktualisieren Sie den SPF TXT-Eintrag oder fügen ihn hinzuTo add or update your SPF TXT record

  1. Machen Sie sich mit der SPF-Syntax in der folgenden Tabelle vertraut.Ensure that you're familiar with the SPF syntax in the following table.

    Wenn Sie Folgendes verwenden ...If you're using... Für Kunden üblich?Common for customers? Fügen Sie Folgendes hinzu ...Add this...
    11 Beliebiges E-Mail-System (erforderlich)Any email system (required) Common.Common. All SPF TXT records start with this valueAll SPF TXT records start with this value v=spf1v=spf1
    22 Exchange OnlineExchange Online StandardCommon include:spf.protection.outlook.cominclude:spf.protection.outlook.com
    33 Nur dediziert für Exchange OnlineExchange Online dedicated only Kein StandardNot common ip4:23.103.224.0/19 ip4:206.191.224.0/19 ip4:40.103.0.0/16 include:spf.protection.outlook.comip4:23.103.224.0/19 ip4:206.191.224.0/19 ip4:40.103.0.0/16 include:spf.protection.outlook.com
    44 Office 365 Deutschland, nur Microsoft Cloud DeutschlandOffice 365 Germany, Microsoft Cloud Germany only Kein StandardNot common include:spf.protection.outlook.deinclude:spf.protection.outlook.de
    55 Drittanbieter-E-Mail-SystemThird-party email system Kein StandardNot common enthalten:<domain name>include:<domain name>
    Wobei „Domänenname“ dem Domänennamen des Drittanbieter-E-Mail-Systems entspricht.Where domain name is the domain name of the third party email system.
    66 On-premises mail system.On-premises mail system. For example, Exchange Online Protection plus another mail systemFor example, Exchange Online Protection plus another mail system Kein StandardNot common Verwenden Sie einen der folgenden Einträge für jedes zusätzliche E-Mail-System:Use one of these for each additional mail system:
    ip4:<IP address>ip4:<IP address>
    ip6:<IP address>ip6:<IP address>
    enthalten:<domain name>include:<domain name>
    Dabei steht der Wert von <IP address> für die IP-Adresse des anderen E-Mail-Systems und <domain name> für den Domänennamen des anderen E-Mail-Systems, das E-Mails im Auftrag Ihrer Domäne sendet.Where the value for <IP address> is the IP address of the other mail system and <domain name> is the domain name of the other mail system that sends mail on behalf of your domain.
    77 Beliebiges E-Mail-System (erforderlich)Any email system (required) Common.Common. All SPF TXT records end with this valueAll SPF TXT records end with this value <enforcement rule>
    This can be one of several values.This can be one of several values. We recommend that you use -all.We recommend that you use -all.
  2. Erstellen Sie Ihren SPF TXT-Eintrag, falls noch nicht geschehen, indem Sie die Syntax aus der Tabelle verwenden:If you haven't already done so, form your SPF TXT record by using the syntax from the table:

    Wenn Sie in Office 365 vollständig gehostet werden (Sie haben also keine lokalen E-Mail-Server), sieht Ihr SPF TXT-Eintrag wie folgt aus und enthält Zeilen 1, 2 und 7:For example, if you are fully-hosted in Office 365, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 2, and 7 and would look like this:

    v=spf1 include:spf.protection.outlook.com -all

    Dies ist der häufigste SPF TXT-Eintrag.This is the most common SPF TXT record. Dieser Eintrag eignet sich für fast alle Benutzer, unabhängig davon, ob sich Ihr Microsoft-Rechenzentrum in den USA, in Europa (einschließlich Deutschland) oder an einem anderen Standort befindet.This record works for just about everyone, regardless of whether your Microsoft datacenter is located in the United States, or in Europe (including Germany), or in another location.

    However, if you have purchased Office 365 Germany, part of Microsoft Cloud Germany, you should use the include statement from line 4 instead of line 2.However, if you have purchased Office 365 Germany, part of Microsoft Cloud Germany, you should use the include statement from line 4 instead of line 2. For example, if you are fully-hosted in Office 365 Germany, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 4, and 7 and would look like this:For example, if you are fully-hosted in Office 365 Germany, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 4, and 7 and would look like this:

    v=spf1 include:spf.protection.outlook.de -all

    Wenn Sie bereits in Office 365 bereitgestellt und Ihre SPF TXT-Einträge für Ihre benutzerdefinierte Domäne eingerichtet haben und anschließend zu Office 365 Deutschland migrieren möchten, müssen Sie Ihren SPF TXT-Eintrag aktualisieren.If you're already deployed in Office 365 and have set up your SPF TXT records for your custom domain, and you're migrating to Office 365 Germany, you need to update your SPF TXT record. Ändern Sie dazu include:spf.protection.outlook.com in include:spf.protection.outlook.de.To do this, change include:spf.protection.outlook.com to include:spf.protection.outlook.de.

  3. Nachdem Sie Ihren SPF TXT-Eintrag erstellt haben, müssen Sie den Eintrag in DNS aktualisieren.Once you have formed your SPF TXT record, you need to update the record in DNS. Sie dürfen nur einen SPF TXT-Eintrag für eine Domäne haben.You can only have one SPF TXT record for a domain. Wenn ein SPF TXT-Eintrag vorhanden ist, müssen Sie den vorhandenen Eintrag aktualisieren, statt einen neuen Eintrag hinzuzufügen.If an SPF TXT record exists, instead of adding a new record, you need to update the existing record. Wechseln Sie zu Erstellen von DNS-Einträgen für Office 365, und klicken Sie dann auf den Link für Ihren DNS-Hostinganbieter.Go to Create DNS records for Office 365, and then click the link for your DNS host.

  4. Testen Sie Ihren SPF TXT-Eintrag.Test your SPF TXT record.

Weitere Informationen zu SPFMore information about SPF

Erweiterte Beispiele, eine ausführlichere Erläuterung zur unterstützten SPF-Syntax, zu Spoofing, zur Problembehandlung und zur Unterstützung von SPF durch Office 365 finden Sie unter How SPF works to prevent spoofing and phishing in Office 365.For advanced examples, a more detailed discussion about supported SPF syntax, spoofing, troubleshooting, and how Office 365 supports SPF, see How SPF works to prevent spoofing and phishing in Office 365.

Nächste Schritte: Nach dem Einrichten von SPF für Office 365Next steps: After you set up SPF for Office 365

Having trouble with your SPF TXT record?Having trouble with your SPF TXT record? Read Troubleshooting: Best practices for SPF in Office 365.Read Troubleshooting: Best practices for SPF in Office 365.

SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against.SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. In order to protect against these, once you have set up SPF, you should also configure DKIM and DMARC for Office 365.In order to protect against these, once you have set up SPF, you should also configure DKIM and DMARC for Office 365. To get started, see Use DKIM to validate outbound email sent from your custom domain in Office 365.To get started, see Use DKIM to validate outbound email sent from your custom domain in Office 365. Next, see Use DMARC to validate email in Office 365.Next, see Use DMARC to validate email in Office 365.