Office 365 Office 365

  



Upcoming changes related to connectivity to Office 365 services Retirement of TLS 1.0 and 1.1. After October 15, 2020, you must be using at least TLS 1.2 to connect to Office 365 services. For more information, see TLS 1.0 and 1.1 deprecation for Office 365 and Preparing for TLS 1.2 in Office 365 and Office 365 GCC. Mar 30, 2020 When Microsoft first introduced 'Microsoft 365' a few years ago, the term meant something very specific. Microsoft 365 (M365) was a subscription bundle of Windows 10 Enterprise, Office 365. Microsoft Office 365 for Education provides staff, faculty, and students with email, online document editing and storage, access to the Office Web Apps, and Office 365 ProPlus which includes Microsoft Office for Windows and Mac at no additional cost. Microsoft 365 is more than a new name. It’s the familiar Office experience you know and trust plus more apps, features, and capabilities. Tip: Office 365 is now Microsoft 365. New name, more benefits. New name, more benefits. Microsoft 365 is a subscription service that makes sure you always have the most up-to-date modern productivity tools from Microsoft.

-->

As of October 13, 2020, only these versions of Office are supported for connecting to Office 365 (and Microsoft 365) services:

  • Microsoft 365 Apps for enterprise (previously named Office 365 ProPlus)
  • Microsoft 365 Apps for business (previously named Office 365 Business)
  • Office 2019, such as Office Professional Plus 2019
  • Office 2016, such as Office Standard 2016

Examples of Office 365 services include Exchange Online, SharePoint Online, and OneDrive for Business.

For Microsoft 365 Apps, you must be using a supported version. For a list of which versions are currently supported, see Update history for Microsoft 365 Apps.

Important

We won’t take any active measures to block other versions of the Office client, such as Office 2013, from connecting to Office 365 services, but these older clients may encounter performance or reliability issues over time.

Impact of using older Office clients to connect to Office 365 services

After October 13, 2020, ongoing investments to our cloud services will not take into account older Office clients. Over time, these Office clients may encounter performance or reliability issues. Organizations that use these older clients will almost certainly face an increased security risk and may find themselves out of compliance depending upon specific regional or industry requirements.

Therefore, administrators should update older Office clients to versions of Office supported for connecting to Office 365 services.

Upgrade resources available to administrators

We recommend that you upgrade older Office clients to a subscription version of the Office client, such as Microsoft 365 Apps for enterprise. The most up-to-date subscription versions of the Office client are always supported connecting to Office 365 services.

We provide various services to help you upgrade to subscription versions of the Office client. The following list provides some examples of resources that are available:

  • Microsoft FastTrack, for migration and deployment assistance from Microsoft experts.
  • App Assure, for assistance from Microsoft with application compatibility issues.
  • Deployment guide for Microsoft 365 Apps, for technical documentation.
  • Product lifecycle dashboard and upgrade readiness dashboard, for users of Microsoft Endpoint Configuration Manager (current branch).
  • Readiness Toolkit for Office add-ins and VBA, to help identify potential issues with add-ins and VBA macros used in your organization.

Upcoming changes related to connectivity to Office 365 services

Retirement of TLS 1.0 and 1.1

After October 15, 2020, you must be using at least TLS 1.2 to connect to Office 365 services. For more information, see TLS 1.0 and 1.1 deprecation for Office 365 and Preparing for TLS 1.2 in Office 365 and Office 365 GCC.

Basic authentication with Exchange Online

There are some changes planned related to the use of Basic Authentication with Exchange Online. For more information, see Basic Authentication and Exchange Online – February 2021 Update.

Office 365 get office 365

Retirement of Skype for Business Online

Skype for Business Online will be retired on July 31, 2021. For more information, see Skype for Business Online retirement.

Minimum version requirements for Outlook for Windows

Note

The information in this section was communicated in the following Message center post in the Microsoft 365 admin center.

  • Message ID: MC229143
  • Message title: Update to Microsoft 365 and Outlook for Windows connectivity
  • Publish date: December 9, 2020.

Starting on November 1, 2021, the following versions are the minimum versions of Outlook for Windows you need to be using to be able to connect to Microsoft 365 services, such as Exchange Online.

  • Version 1706 of Microsoft 365 Apps
  • Version 16.0.4600.1000 of Office 2016 (with the November 2017 Update, KB 4051890)
  • Version 15.0.4971.1000 of Office 2013 (Service Pack 1 with the October 2017 Update, KB 4043461)

All versions of Outlook 2019 should be able to connect to Microsoft 365 services, but only the most current version is supported.

Even though newer versions of Outlook 2013 might be able to connect to Microsoft 365 services, it's not supported and you may encounter performance or reliability issues.

Versions of Outlook that are newer than those listed, but aren't the most current (supported) versions, may experience connectivity issues. To find what is the most current (supported) version, see the following articles:

Additional information about connectivity to Office 365 services

  • Versions of Office 2019 and Office 2016 will be supported for connecting to Office 365 (and Microsoft 365) services until October 2023.
  • Connecting to Office 365 services using Office 2016 for Mac isn’t supported. That’s because Office 2016 for Mac reached its end of support on October 13, 2020.
  • This information about connecting to Office 365 services also applies to Project and Visio.
  • This information about connecting to Office 365 services does not apply to InfoPath 2013 or SharePoint Designer 2013.
  • For end of support dates for different versions of Office on various versions of Windows, see the Office configuration support matrix.
  • To discuss or learn more about end of support for Office versions, visit Microsoft Office End of Support on the Microsoft Tech Community.
-->

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

This article describes how to update an Domain Name Service (DNS) record so that you can use Sender Policy Framework (SPF) email authentication with your custom domain in Office 365.

Using SPF helps to validate outbound email sent from your custom domain. It's a first step in setting up other recommended email authentication methods DMARC and DKIM (two further email authentication methods supported in Office 365).

Office 365 Outlook Login

Prerequisites

Important

If you are a small business, or are unfamiliar with IP addresses or DNS configuration, call your Internet domain registrar (ex. GoDaddy, Bluehost, web.com) to ask for help with DNS configuration of SPF (and any other email authentication method). Also, if you haven't bought, or don't use a custom URL (in other words the URL you and your customers browse to reach Office 365 ends in onmicrosoft.com), SPF has been set up for you in the Office 365 service. No further steps are required in that case. Thanks for reading.

Before you create or update the SPF TXT record for Office 365 in external DNS, you need to gather some information needed to make the record. For advanced examples and a more detailed discussion about supported SPF syntax, see How SPF works to prevent spoofing and phishing in Office 365.

Gather this information:

  • The current SPF TXT record for your custom domain, if one exists. For instructions, see Gather the information you need to create Office 365 DNS records.

  • Go to your messaging server(s) and find out the External IP addresses (needed from all on-premises messaging servers). For example, 131.107.2.200.

  • Domain names to use for all third-party domains that you need to include in your SPF TXT record. Some bulk mail providers have set up subdomains to use for their customers. For example, the company MailChimp has set up servers.mcsv.net.

  • Figure out what enforcement rule you want to use for your SPF TXT record. The -all rule is recommended. For detailed information about other syntax options, see SPF TXT record syntax for Office 365.

Important

In order to use a custom domain, Office 365 requires that you add a Sender Policy Framework (SPF) TXT record to your DNS record to help prevent spoofing.

Office 365 Office 365

Create or update your SPF TXT record

  1. Ensure that you're familiar with the SPF syntax in the following table.
ElementIf you're using...Common for customers?Add this...
1Any email system (required)Common. All SPF TXT records start with this valuev=spf1
2Exchange OnlineCommoninclude:spf.protection.outlook.com
3Exchange Online dedicated onlyNot commonip4:23.103.224.0/19
ip4:206.191.224.0/19
ip4:40.103.0.0/16
include:spf.protection.outlook.com
4Office 365 Germany, Microsoft Cloud Germany onlyNot commoninclude:spf.protection.outlook.de
5Third-party email systemNot commoninclude:<domain_name>

<domain_name> is the domain of the third party email system.

6On-premises email system. For example, Exchange Online Protection plus another email systemNot commonUse one of these for each additional mail system:

ip4:<IP_address>
ip6:<IP_address>
include:<domain_name>

<IP_address> and <domain_name> are the IP address and domain of the other email system that sends mail on behalf of your domain.

7Any email system (required)Common. All SPF TXT records end with this value<enforcement rule>

This can be one of several values. We recommend the value -all.

Office 365 Office 365
  1. If you haven't already done so, form your SPF TXT record by using the syntax from the table.

    For example, if you are fully-hosted in Office 365, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 2, and 7 and would look like this:

    This is the most common SPF TXT record. This record works for just about everyone, regardless of whether your Microsoft datacenter is located in the United States, or in Europe (including Germany), or in another location.

    However, if you have purchased Office 365 Germany, part of Microsoft Cloud Germany, you should use the include statement from line 4 instead of line 2. For example, if you are fully-hosted in Office 365 Germany, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 4, and 7 and would look like this:

    If you're already deployed in Office 365 and have set up your SPF TXT records for your custom domain, and you're migrating to Office 365 Germany, you need to update your SPF TXT record. To do this, change include:spf.protection.outlook.com to include:spf.protection.outlook.de.

  2. Once you have formed your SPF TXT record, you need to update the record in DNS. You can only have one SPF TXT record for a domain. If an SPF TXT record exists, instead of adding a new record, you need to update the existing record. Go to Create DNS records for Office 365, and then click the link for your DNS host.

  3. Test your SPF TXT record.

How to handle subdomains?

It is important to note that you need to create a separate record for each subdomain as subdomains don't inherit the SPF record of their top level domain.

An additional wildcard SPF record (*.) is required for every domain and subdomain to prevent attackers from sending email claiming to be from non-existent subdomains. For example:

Troubleshooting SPF

Having trouble with your SPF TXT record? Read Troubleshooting: Best practices for SPF in Office 365.

What does SPF email authentication actually do?

Office 365 Office 365 Office 365

SPF identifies which mail servers are allowed to send mail on your behalf. Basically, SPF, along with DKIM, DMARC, and other technologies supported by Office 365, help prevent spoofing and phishing. SPF is added as a TXT record that is used by DNS to identify which mail servers can send mail on behalf of your custom domain. Recipient mail systems refer to the SPF TXT record to determine whether a message from your custom domain comes from an authorized messaging server.

Office 365 Office 365 Login

For example, let's say that your custom domain contoso.com uses Office 365. You add an SPF TXT record that lists the Office 365 messaging servers as legitimate mail servers for your domain. When the receiving messaging server gets a message from joe@contoso.com, the server looks up the SPF TXT record for contoso.com and finds out whether the message is valid. If the receiving server finds out that the message comes from a server other than the Office 365 messaging servers listed in the SPF record, the receiving mail server can choose to reject the message as spam.

Also, if your custom domain does not have an SPF TXT record, some receiving servers may reject the message outright. This is because the receiving server cannot validate that the message comes from an authorized messaging server.

If you've already set up mail for Office 365, then you have already included Microsoft's messaging servers in DNS as an SPF TXT record. However, there are some cases where you may need to update your SPF TXT record in DNS. For example:

  • Previously, you had to add a different SPF TXT record to your custom domain if you were using SharePoint Online. This is no longer required. This change should reduce the risk of SharePoint Online notification messages ending up in the Junk Email folder. Update your SPF TXT record if you are hitting the 10 lookup limit and receiving errors that say things like, 'exceeded the lookup limit' and 'too many hops'.

  • If you have a hybrid environment with Office 365 and Exchange on-premises.

  • You intend to set up DKIM and DMARC (recommended).

More information about SPF

For advanced examples, a more detailed discussion about supported SPF syntax, spoofing, troubleshooting, and how Office 365 supports SPF, see How SPF works to prevent spoofing and phishing in Office 365.

Links to configure DKIM and DMARC

Purchase Microsoft Office 365

SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF can't protect against. To defend against these, once you've set up SPF, you should configure DKIM and DMARC for Office 365.

DKIM email authentication's goal is to prove the contents of the mail haven't been tampered with.

DMARC email authentication's goal is to make sure that SPF and DKIM information matches the From address.