No apologies for going back to the subject of mail compliance. And this time it’s an obvious and easy trap that you could fall into when configuring your SPF record.
By way of explanation, your SPF record is something you publish: it contains a list of the server(s) that you have authorised to send out your emails. When we send out an email from backofficeit.co.uk the recipient looks at the source server, checks it against our published SPF list, and gives it the go/no-go based on what it finds. In this way recipients are protected against ‘spoof’ emails (scammers pretending to be us). The trap comes when you use Microsoft365 (Office365) for your emails. Your SPF record is now spf.protection.outlook.com – which sounds fine. But every other Office365 user on the planet comes off the same server. So the SPF record check does NOT say “this is definitely from backofficeit.co.uk”. It simply says “this is from an Office365 user & Office365 is good for backofficeit.co.uk”. Which is not where you want to be at all!
The solution is to use an outbound mail relay. The one we have partnered with has many useful features. But, in this case, it has its own SPF identity. And, as part of their system, they monitor for exactly the scenario we are guarding against: therefore we use that instead of the Office365 one. And now the receiver can say with much higher confidence that this email is really from us.