Sender Policy Framework (SPF) records allow domain owners to specify which hosts are permitted to send email on behalf of their domains. Normal SMTP allows any computer to send an email claiming to be from anyone. Thus, it's easy for spammers to send emails with forged From: addresses. SPF allows a domain owner to use a special format of DNS TXT records to specify which machines/hosts are authorized to transmit email for their domain, making it difficult to forge From: addresses.
A domain's SPF records are used by other servers in 2 ways.
Office 365 team has published a basic set of unrestricted SPF records. You can look them up by querying the TXT record for the domain. For example:
> dig +short TXT wisc.edu "v=spf1 redirect=_spf.wiscmail.wisc.edu"
This SPF record tells other servers to reference the SPF records in the "_spf.wiscmail.wisc.edu" domain. They look like this:
> dig +short TXT _spf.wiscmail.wisc.edu "v=spf1 ip4:188.8.131.52/25 ?all"
This record tells other servers that any server in the IP range of 184.108.40.206/25 is allowed to send for the domain. The "?all" modifier at the end means that all other servers should be allowed to send mail on behalf of the domain as if there were no SPF records published at all.
As you can see, the SPF records for the wisc.edu domain are not restrictive. If mail with a From: address of @wisc.edu is sent through UW-Madison's central mail servers either via Office 365, smtp.wiscmail.wisc.edu or relay.mail.wisc.edu an SPF check should return a PASS response. However, if you are running a server that is sending mail using From: addresses in the @wisc.edu domain, but the server is not explicitly listed in the SPF record an SPF check will result in a neutral return. It is unusual for a receiving system to reject mail solely based on a neutral SPF return value.
If your domain is hosted by Office 365, we encourage you to publish SPF records that reference the _spf.wiscmail.wisc.edu SPF record. You can either:
"v=spf1 ip4:220.127.116.11 include:_spf.wiscmail.wisc.edu ?all"
"v=spf1 a:sun.doit.wisc.edu ip4:18.104.22.168/24 include:_spf.wiscmail.wisc.edu ?all"
"v=spf1 ip4:22.214.171.124 include:_spf.wiscmail.wisc.edu -all"
Be aware that specifying -all (Fail) instead of ~all (SoftFail) or ?all (Neutral) may result in delivery problems.
For more information about SPF record syntax: http://www.openspf.org/SPF_Record_Syntax
If you are an Office 365 domain administrator and you would like assistance reviewing the SPF record for your domain, please contact firstname.lastname@example.org.