How do I check SPF records in Exchange Online?

Use an SPF lookup tool like the PowerDMARC SPF Checker, enter your domain and review the record, syntax, and lookup count. You can also verify in the Microsoft 365 admin center under Settings → Domains → DNS records. For recipient-side verification, check the Authentication-Results header in a test message sent externally.

What SPF record do I need for Microsoft 365?

At minimum: v=spf1 include:spf.protection.outlook.com -all. If you use additional sending services (HubSpot, SendGrid, Salesforce, Zendesk), add their includes before -all. Ensure total DNS lookups stay under 10, including nested lookups inside each include.

Why is SPF failing even though my record looks correct?

Common causes: exceeding the 10 DNS lookup limit (PermError), having multiple SPF records on the same domain, forwarded emails (SPF breaks on forwarding by design), or a vendor changing their authorized IP ranges without notifying you. Check the Authentication-Results header for the specific spf= result.

What’s the difference between -all and ~all?

-all (hard fail) instructs receivers to reject or fail messages from unauthorized IPs. ~all (soft fail) is more permissive. In 2026, with DMARC deployed, the DMARC policy controls enforcement regardless of qualifier. If you don’t have DMARC yet, -all provides significantly stronger protection.

How many DNS lookups does include:spf.protection.outlook.com use?

The Microsoft include counts as 1 lookup, but it chains to nested includes that consume approximately 2–4 additional lookups. The exact number varies as Microsoft updates infrastructure. Always verify with a checker that recursively counts nested lookups.

Is SPF enough to stop email spoofing?

No. SPF alone does not prevent spoofing of the visible From: address (header From). It only validates the envelope sender (Return-Path). Comprehensive protection requires DKIM for message-level signing plus DMARC to enforce alignment. All three protocols working together, and monitored continuously, is the standard in 2026.

How MSPs Can Manage DMARC Faster With MCP Server

Key Takeaways

Managing DMARC across dozens of client domains becomes difficult when MSPs rely on separate dashboards and manual DNS checks.
An MCP server connects AI tools like Claude or Cursor to live PowerDMARC data, allowing MSPs to query and manage domains through simple prompts.
MSPs can quickly identify spoofable domains, SPF issues, weak DMARC policies, and authentication gaps across their full client portfolio.
The MCP server helps reduce operational overhead by combining visibility, troubleshooting, and DNS record generation into one workflow.

Managing DMARC across a handful of domains is manageable. Managing it across 50, 100, or 300 client domains is a different story entirely.

Most MSPs already know the routine: jumping between dashboards, checking DNS records manually, validating SPF syntax in separate tools, reviewing DMARC reports one tenant at a time, and trying to keep track of which client is still stuck in monitoring mode. Add multiple administrators, different DNS providers, and disconnected security tools to the mix, and even simple checks start to take hours.

The problem is not a lack of tooling. It is the lack of a central operational layer that prevents MSPs from quickly querying, troubleshooting, and acting across their entire client portfolio.

This is where the MCP Server comes in.

PowerDMARC’s MCP server gives MSPs a way to interact with live DMARC data directly through AI tools like Claude or Cursor. Instead of switching between tabs and portals, teams can ask questions in plain language and get real account-level answers back instantly.

What Is MCP – And Why Should MSPs Care?

MCP stands for Model Context Protocol. In simple terms, it is a standard that allows AI assistants to connect with external platforms and work with live data.

Without an MCP, an AI assistant can only provide general guidance based on what it already knows. It can explain what SPF or DMARC is, but it cannot see your client domains, check their DNS records, or identify which domains are vulnerable to spoofing.

With MCP, the AI becomes connected to your actual environment.

That means an MSP can ask questions like:

“Which client domains are still at p=none?”
“Show me domains with SPF PermError risk.”
“Generate a corrected SPF record for this client.”
“List all domains with low health scores.”

Instead of generic answers, the AI retrieves live information directly from the connected platform and can help execute tasks in real time.

For MSPs handling email security across multiple organizations, this matters because it reduces operational overhead. The AI stops being just an assistant and becomes an interface for managing real environments faster.

Why PowerDMARC Built an MCP Server

MSPs and MSSPs managing large domain portfolios often face the same operational bottleneck: visibility is fragmented. This means that one client may be at DMARC enforcement, another may still be in monitoring mode, one domain may have an SPF lookup issue, while another has unauthorized senders appearing in reports. Finding all of this information usually means logging into separate dashboards, checking records manually, and piecing together data across tools.

PowerDMARC built its MCP server to remove that friction.

The goal was not to replace existing workflows. It was to allow MSPs to work through the AI tools they already use while still accessing live DMARC and DNS intelligence from their PowerDMARC environment.

Without MCP connectivity, even advanced AI tools can only provide theoretical advice:

Your prompt: “Why is SPF failing for my client domain?”

The answer: “Your client domain might be failing SPF for various reasons. Here’s how SPF works…”

With MCP connectivity, the same prompt becomes actionable:

The answer: “Your client domain exceeds SPF lookup limits because of nested include statements. Here is the corrected SPF record.”

The difference is context.

By connecting the AI directly to live account data, MSPs can retrieve domain health scores, identify spoofing risks, validate records, review enforcement status, and generate fixes without manually navigating every client account.

For teams managing dozens or hundreds of domains, that operational speed becomes important very quickly.

The Two MSP Problems It Directly Solves

Problem 1: Managing 50+ Client Domains Without a Central View

As MSP portfolios grow, visibility becomes harder to maintain. Every client has different domains, different DNS providers, different enforcement stages, and different sending sources. Some may be fully enforced with strict DMARC policies, while others still rely on monitoring mode with incomplete SPF alignment. Tracking all of this manually does not scale well.

The MCP server gives MSPs a way to query their entire portfolio from one interface using plain-language prompts. For example:

“List all client domains with their DMARC policy, enforcement status, and health score.”

Instead of checking tenants individually, the AI can return a centralized snapshot across the portfolio in seconds.

This becomes especially useful for identifying:

Domains still vulnerable to spoofing
Clients with weak enforcement policies
Domains with unhealthy SPF configurations
Accounts that require remediation before moving to quarantine or reject

For MSPs handling multi-client email security, centralized visibility is often the missing layer between reactive troubleshooting and proactive management.

You can also learn more about DMARC for Multiple Domains and how centralized domain management improves operational efficiency at scale.

Problem 2: Switching Between Too Many Disconnected Tools

Most MSP environments are already overloaded with tools. Teams regularly move between RMM platforms, ticketing systems, DNS providers, security dashboards, and email authentication portals. None of them naturally share context with each other, and as a result, even straightforward troubleshooting becomes time-consuming.

A common example:

A client reports email delivery failures
The technician checks SPF syntax separately
DNS lookups happen in another tool
DMARC reports are reviewed elsewhere
A corrected record is then generated manually

The MCP server turns the AI into the connective layer between those workflows. An MSP can use a prompt like:

“Check this domain for SPF issues, identify the cause of the PermError, and generate a corrected SPF record.”

The result is a faster troubleshooting process without constantly moving between platforms.

What You Can Actually Do With PowerDMARC’s MCP Server

1. Get Full Visibility Across Your Client Portfolio

MSPs can retrieve a complete list of managed domains along with DMARC policy status, enforcement stage, and health scores from a single interface. The MCP server can also identify who is currently sending email on behalf of each client domain, making it easier to spot unauthorized or unexpected senders.

Teams can review mail volume history, inspect DKIM analytics, and monitor authentication trends across multiple client environments without manually opening each tenant.

2. Diagnose Problems Before Clients Notice Them

The MCP server helps MSPs identify domains that are still spoofable and understand exactly why they remain exposed. It can validate SPF configurations, detect lookup-limit problems, and flag potential PermError risks before they disrupt mail flow. Teams can also retrieve forensic failure reports for failed messages and review audit logs to see recent configuration changes that may have introduced issues.

Instead of waiting for a client escalation, MSPs can proactively identify weak points across the portfolio.

3. Generate Fixes and Take Action on the Spot

MSPs can generate DNS-ready DMARC, SPF, and DKIM records directly from prompts without manually building syntax. The MCP server also supports DNS lookups across multiple record types, helping technicians verify configurations quickly during troubleshooting.

Operational actions can be handled from the same interface as well. For example, MSPs can add a new client domain and configure it in monitoring mode without opening the dashboard separately. This reduces the number of repetitive administrative tasks technicians handle daily.

4. Manage MSSP Sub-Accounts From One Interface

For larger MSSPs and partner environments, the MCP server also supports portfolio-level account management. Teams can list and manage client sub-accounts, add or remove users, and oversee domain groups across the full customer environment from one connected interface.

For organizations managing large-scale email security operations, this helps reduce the administrative complexity that comes with multi-tenant management.

MSPs interested in scaling multi-client email authentication services can also explore PowerDMARC’s MSP/MSSP Partner Program.

Final Words

For MSPs, the biggest challenge in DMARC management is rarely understanding the protocols themselves. It is maintaining visibility and control across dozens of client environments without wasting operational time.

Right now, some client domains may still be spoofable without anyone noticing. Others may already have SPF issues or weak DMARC enforcement quietly affecting security posture. The longer those gaps remain hidden, the greater the risk becomes. Tools that reduce dashboard switching, surface live domain risks faster, and simplify remediation workflows are quickly becoming operational necessities for modern MSPs handling email security at scale.

About
Latest Posts

Ahona Rudra

Domain & Email Security Expert at PowerDMARC

Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.

How MSPs Can Manage Every Client’s DMARC Faster With PowerDMARC’s MCP Server