Microsoft 365 SPF Not Working – Fix include:spf.protection.outlook.com (2026)

Learn the bigger picture in our Email Authentication Explained guide and compare SPF vs DKIM vs DMARC to understand how these protocols work together.

One-Minute Fix

Add include:spf.protection.outlook.com to your existing SPF record and do not publish a second SPF TXT record. Keep one v=spf1 policy, merge all approved senders into that single record, and remove duplicates.

example.com TXT "v=spf1 include:spf.protection.outlook.com -all"

This authorizes Microsoft 365 to send for example.com. If you also use other platforms, add their mechanisms to this same SPF record instead of creating separate SPF entries.

Free live DNS check. No signup required.

Wrong vs correct setup

example.com TXT "v=spf1 include:_spf.google.com -all"
example.com TXT "v=spf1 include:spf.protection.outlook.com -all"

example.com TXT "v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all"

Why this happens

Microsoft 365 setup requires adding include:spf.protection.outlook.com to the active SPF record for the sending domain. SPF supports one policy only, so creating separate records causes failures. Problems also appear when changes are made on the wrong domain, syntax is broken, or propagation is incomplete. This is especially common when multiple SPF records are published or when DNS lookup limits are exceeded.

Why this is a problem

When Microsoft 365 traffic fails SPF, mailbox providers may reduce trust in your sender identity and apply stricter filtering. Business email, alerts, and customer communications can drift into spam or fail DMARC alignment expectations. For many senders the concrete symptom is a syntax error or a record that is too long for DNS to handle cleanly.

How this affects deliverability

SPF is a foundational sender authorization signal for Microsoft 365 traffic. If Microsoft’s include is missing or SPF is invalid, legitimate mail can lose inbox placement and trigger DMARC issues where SPF was expected to provide aligned authentication. You can see this clearly in neutral SPF results or when softfail vs fail decisions tip borderline mail into spam.

Common causes

• include:spf.protection.outlook.com was not added to the active SPF record.
• Duplicate SPF TXT records were published during provider changes.
• SPF updates were made on the wrong domain or hostname.
• Syntax mistakes in the merged SPF policy caused parsing problems.
• DNS propagation delay left external resolvers on older SPF data.

What we checked

We checked for a single v=spf1 TXT record on the sending domain and verified whether include:spf.protection.outlook.com is present in that active policy. Missing include or duplicate SPF records usually explain Microsoft 365 SPF failures.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

Next steps

• Send a real Microsoft 365 message and check headers to confirm the exact domain being evaluated for SPF.
• Update that domain’s SPF record to include include:spf.protection.outlook.com.
• Merge all providers into one SPF record and remove duplicates.
• Validate SPF syntax and wait for DNS propagation.
• Re-test SPF and DMARC alignment on the same sending path.
• Review the full troubleshooting guidance in the SPF Hub.
• Check signing and selector issues in the DKIM Hub.
• Review alignment and policy issues in the DMARC Hub.

Related fixes

• Google Workspace SPF not working
• Multiple SPF records found
• SPF record syntax explained
• SPF record examples
• How to build an SPF record

Explore more issues

• SPF record examples
• SPF record syntax explained
• How to build an SPF record
• SendGrid SPF not working
• Google Workspace SPF not working
• Amazon SES SPF not working