Can a domain have more than one SPF record?

No. RFC 7208 requires exactly one SPF record per domain. If two TXT records starting with v=spf1 exist, both return PermError and SPF fails entirely. Merge all authorized sources into a single record.

What does it mean if my domain has too many DNS lookups?

Your SPF record exceeds the 10-DNS-lookup limit set by RFC 7208. This causes SPF PermError, which breaks SPF authentication for all email - not just the overflow. Reduce includes, replace with ip4:/ip6:, or use SPF flattening or Macros to stay under the limit.

What is the difference between SPF softfail (~all) and hardfail (-all)?

Softfail (~all) tells receivers to accept the email but mark it as suspicious. Hardfail (-all) tells receivers to reject the email outright. Use softfail during initial setup and testing; switch to hardfail once all legitimate senders are confirmed and DMARC is in place.

Does SPF prevent email spoofing?

Not by itself. SPF checks the envelope sender (Return-Path), not the From header that recipients see. An attacker can pass SPF while spoofing the visible From address. You need DMARC - which checks alignment between SPF/DKIM results and the From header - to prevent display-name spoofing.

What happens when SPF fails?

It depends on the SPF qualifier and whether DMARC is configured. With -all and a DMARC reject policy, the email is blocked. With ~all and no DMARC, the email may still be delivered but flagged as suspicious. Without SPF at all, receivers have no SPF signal to evaluate.

How do I check my SPF record?

Use a free SPF lookup tool. Enter your domain, and the tool retrieves your SPF record from DNS, validates the syntax, counts DNS lookups, and flags any errors - including PermError and void lookup violations.

Do I need SPF if I already have DKIM and DMARC?

Yes. DMARC requires at least one of SPF or DKIM to pass and align. While DKIM alone can satisfy DMARC, having both SPF and DKIM provides redundancy. If one fails (for example, SPF breaks on forwarding), the other can still pass DMARC alignment.

What is SPF alignment?

SPF alignment means the domain in the Return-Path (envelope sender) matches the domain in the From header. DMARC checks this alignment. Without it, SPF can pass but DMARC will still fail - which is what happens with many third-party senders unless they're configured to use your domain in the Return-Path.

How often should I update my SPF record?

Review your SPF record whenever you add or remove a sending service, and audit it at least quarterly. SPF records decay as vendors change IP ranges and as your organization's sending stack evolves. An SPF record that was valid six months ago may be broken or incomplete today.

What is SPF flattening?

SPF flattening resolves all include: mechanisms into raw IP addresses, reducing the DNS lookup count. This keeps you under the 10-lookup limit but creates a static record that must be updated whenever a vendor changes their IPs. Modern alternatives like SPF Macros keep the record dynamic while staying under the limit.

NTLM Deprecation: Microsoft's Phaseout Timeline, Risks & Migration Guide

Key Takeaways

Microsoft is moving in stages (Auditing → Compatibility Fixes → Disabled by Default) to ensure organizations have time to find legacy dependencies before they break.
Microsoft will flip the BlockNTLMv1SSO registry key to Enforce (1) by default in October 2026, meaning NTLM version 1 (the oldest, weakest version) will be blocked for Single Sign-On (SSO).
Microsoft is releasing new features in late 2026 to fix the reasons why people used NTLM (like local account logins or remote access where a Domain Controller isn’t visible).
The move is necessary because NTLM is vulnerable to “Relay” and “Pass-the-Hash” attacks that allow hackers to move laterally through a network.
The most critical immediate action for MSPs is to enable “Enhanced Auditing” today to see what hidden apps or legacy printers are still using NTLM.

In late 2023, Microsoft first announced its “Evolution of Windows Authentication,” which matured into the three-phase roadmap currently being executed through 2026. NT LAN Manager (NTLM) has been a staple of Windows authentication since 1993 and has served the ecosystem for over 30 years. While it was formally deprecated in mid-2024, the timeline we are navigating in 2026 makes one thing clear: NTLM is no longer a “future” concern.

For Managed Service Providers (MSPs) and IT teams, this shift represents a significant transition. Phase 1 auditing is now standard across Windows 11 24H2 and Windows Server 2025, having been active since late 2025. In January 2026, Microsoft provided an updated roadmap to transition Windows to a secure-by-default state. While network NTLM will be disabled by default in the coming years, the protocol remains in the OS as a fallback that must be explicitly enabled by administrators if needed; it is not being deleted from the system files yet, but the “safety net” is being removed.

To avoid disruption, organizations must use this window in mid-2026 to begin auditing and migrating to Kerberos before the “disabled by default” state takes effect in the next major Windows Server release following Server 2025.

What Is NTLM and Why Is Microsoft Killing It?

NTLM (New Technology LAN Manager) is a legacy authentication protocol that utilizes a challenge-response mechanism to verify users. For decades, it has served as the primary fallback when Kerberos is unavailable, often due to local account logins, applications requesting it directly, or a lack of line-of-sight to a domain controller.

While Microsoft introduced Kerberos as the preferred protocol over 20 years ago, NTLM remained deeply embedded as a fallback in countless legacy environments. However, its aging architecture presents several critical security risks that no longer meet modern standards:

Weak Cryptography: Its MD4/MD5-based design is highly vulnerable to offline cracking.
No Mutual Authentication: NTLM only verifies the client, not the server, which leaves the connection open to spoofing and man-in-the-middle attacks.
Susceptibility to Pass-the-Hash: Attackers can use stolen NTLM hashes to authenticate without ever knowing the user’s password.
Susceptibility to Relay Attacks: Attackers can force systems to authenticate against attacker-controlled servers to escalate privileges.
Limited Auditing Visibility: Historically, organizations have had very little insight into exactly where or why NTLM was being triggered.

What Is Microsoft’s Three-Phase NTLM Deprecation Timeline?

Microsoft is managing the phaseout in three distinct stages to help organizations transition without breaking critical infrastructure.

Phase 1 – Now (Available): Enhanced Auditing

Enhanced NTLM auditing tools are currently available for Windows Server 2025 and Windows 11 version 24H2. This phase is built on the principle that you cannot migrate what you cannot see; it is about building an accurate inventory of legacy dependencies.

Detailed Logging: Admins can use Group Policy settings to log exactly where NTLM is still in use across the environment.
October 2026 Deadline: The BlockNTLMv1SSO registry key default will change from “Audit” to “Enforce,” which effectively disables

NTLMv1 unless an administrator explicitly overrides it.

Phase 2 – H2 2026: Compatibility Fixes

Currently in early 2026, Microsoft is flighting features through the Windows Insider Program designed to eliminate the common reasons for NTLM fallback. These include IAKerb and Local KDC, which are set for broad release in the second half of the year.

IAKerb: Enables Kerberos authentication even when a domain controller is not directly reachable.
Local KDC: Handles local account authentication without forcing NTLM fallback on modern systems.
Negotiation Changes: Core Windows components will be updated to prefer Kerberos negotiations first.

Phase 3 – Next Major Windows Server Release: Disabled by Default

Network NTLM authentication will be disabled by default in the successor to Windows Server 2025 (expected in 2027/2028). For now, Windows Server 2025 retains NTLM as a default but provides the enhanced auditing tools needed to prepare for this future block.

Secure-by-Default: NTLM will remain in the OS but will not operate unless an admin re-enables it via policy.
Timeline: While tied to the next major release, Microsoft has not yet announced a specific date for this final stage.

Phase	Status	Key Change
Phase 1	Complete/Ongoing	Enhanced auditing is standard on Win 11 24H2 / Server 2025.
Phase 2	Incoming (H2 2026)	IAKerb and Local KDC features are currently in Insider Preview.
Phase 3	Future	NTLM disabled by default (Expected in the next Long-Term Servicing Channel (LTSC) release).

Why NTLM Is a Security Risk: The Attacks That Make It Dangerous

The move away from NTLM is driven by its role in modern cyberattacks, where it is frequently exploited for lateral movement and privilege escalation.

Pass-the-Hash: Attackers steal NTLM hashes from memory (using tools like Mimikatz) and use them to authenticate as the victim without knowing the actual password. The hash is functionally equivalent to the password in this protocol.
NTLM Relay Attacks: Attackers intercept NTLM authentication attempts and relay them to another server to gain unauthorized access.Exploits like PetitPotam, ShadowCoerce, and RemotePotato0 allow attackers to bypass existing mitigations.
Replay Attacks: Captured tokens can be replayed to authenticate to services later, even without the original credentials.
Offline Cracking: NTLMv1 hashes are weak enough to be cracked almost instantly. While NTLMv2 is stronger, it remains vulnerable to offline brute-force attacks given sufficient hardware.

How Does NTLM Compare to Kerberos?

Kerberos has been the default Windows domain protocol for over 20 years and offered far superior security. It uses ticket-based authentication with time-limited tokens and mutual verification.

Feature	NTLM	Kerberos
Mutual Authentication	No (client only)	Yes (client and server)
Cryptography	Weak (MD4/MD5-based)	Strong (AES-based)
Pass-the-hash vulnerability	Yes	No
Relay attack vulnerability	Yes	Largely mitigated
Single Sign-On (SSO)	Limited	Full support
Network round-trips	More (slower)	Fewer (faster)

What This Means for MSPs: The Client Impact

For MSPs managing multiple environments, the NTLM phaseout is a project multiplied across every client.

Discovery Challenges: NTLM usage is often invisible until something breaks. It may only appear during specific events, such as domain controller outages, which makes it time-consuming to map.
Application Dependency Risks: Line-of-business applications, print servers, and legacy Enterprise Resource Planning (ERP) systems often have hardcoded NTLM dependencies. MSPs must coordinate with multiple vendors per client to ensure software is updated for Kerberos.
Testing Burden: Every application must be validated in non-production test environments with NTLM disabled to surface issues before they become production problems.
Client Communication: As Microsoft moves toward the next Long-Term Servicing Channel (LTSC) release, MSPs must brief clients for NTLMv1, which frames the change as a proactive security improvement rather than a disruption.
Service Opportunity: Auditing, dependency mapping, and migration planning represent a clear billable service offering for MSPs.

How Does NTLM Deprecation Connect to Email Security?

The phaseout is part of a broader push toward phishing-resistant, passwordless authentication. NTLM relay attacks often begin with a compromised email credential; once an attacker gains access via phishing, they pivot to NTLM-based lateral movement.

Implementing email authentication protocols like DMARC, SPF, and DKIM protects the vector often used for the initial credential theft. Microsoft’s own sender requirements for Outlook (effective since May 2025) align with this push and require bulk senders to use these protocols.

This network transition is a perfect time for MSPs to review the total identity perimeter. While Kerberos secures the internal network, protocols like DMARC and SPF secure the email gateway, the most common entry point for the credential theft that leads to NTLM relay attacks.

Action Plan: What IT Teams and MSPs Should Do Now

Here are some steps you can and should take now:

Enable Enhanced Auditing and Log Preservation
Deploy Group Policy settings for detailed logging on modern Windows environments immediately. This ensures you have the raw authentication logs and Identity Provider data necessary to see exactly where an attacker logged in from. Use hashing tools to generate a SHA-256 hash of these files to ensure evidence remains untampered for legal or insurance purposes.
Build a Dependency Inventory and Audit for Persistence
Beyond just documenting NTLM-triggering systems, you must inventory “hidden” persistence mechanisms. This includes identifying unauthorized mailbox forwarding rules and third-party Open Authorization (OAuth) application permissions that could allow an attacker to bypass future password changes.
Contact Vendors and Enforce Modern Standards
Confirm Kerberos support roadmaps for critical software, but also push vendors toward phishing-resistant Multi-Factor Authentication (MFA) like FIDO2/WebAuthn. Move away from legacy SMS or push-based notifications, as these are easily bypassed by modern attackers.
Test Configurations and Revocation Workflows
Set up non-production environments to test “NTLM-Off” configurations. Simultaneously, build and test automated workflows to revoke active session tokens and refresh tokens. Since changing a password alone will not stop an attacker who has stolen a login cookie, your team must be able to trigger a Global Sign-Out instantly.
Prepare for Hard Enforcement Deadlines
Treat upcoming system changes as a hard deadline for hardening your domain. Part of this preparation should include enforcing DMARC at a p=reject policy. This prevents attackers from “spoofing” your domain to send emails that appear to be from your company.
Validate New Scenarios with IAKerb and Local KDC
As new authentication features become available in H2 2026, validate that they properly support your environment. During this phase, ensure you are also scanning for fileless payloads and malicious scripts (like “ClickFix” tactics) that may have bypassed traditional gateways during the transition period

Note on Local KDC Stability: Some IT teams testing the Local KDC feature in Windows 11 24H2 have reported Event ID 7031 (service termination). If you encounter this, ensure the service is set to Automatic (Delayed Start) to prevent it from failing during the initial boot sequence before network dependencies are ready.

Summing Up

The NTLM phaseout is a major step toward a modern, phishing-resistant identity perimeter, but network authentication is only half of the story. NTLM relay and lateral movement attacks often begin with a single compromised email credential. An attacker who successfully phishes an employee can use that entry point to pivot into the internal network and exploit legacy protocols like NTLM.

Understanding the full scope of NTLM deprecation means recognizing that securing the email vector is just as critical as migrating your authentication protocols.

To truly protect your clients, you must secure both the internal network and the external email vector. Just as Microsoft is moving toward a “secure-by-default” state for Windows, the industry is doing the same for email via DMARC, SPF, and DKIM. These protocols prevent the initial spoofing and credential theft attempts that make internal network vulnerabilities so dangerous.

Don’t leave the “front door” open while you lock the internal offices. As you audit your clients for NTLM dependencies, ensure their email domains are equally hardened against impersonation.

Explore the PowerDMARC MSP Partner Program to simplify DMARC implementation and provide your clients with a comprehensive defense-in-depth strategy that covers both network and email authentication.

Frequently Asked Questions

Is NTLM being removed from Windows?

It was formally deprecated in mid-2024. While network NTLM will be blocked by default in the next major Windows Server release, it will remain in the OS and can be re-enabled via policy if needed.

What replaces NTLM?

Kerberos is the replacement, offering modern AES-based cryptography and resistance to relay attacks. Phase 2 features (IAKerb and Local KDC) are designed to eliminate the final reasons for NTLM fallback.

What is an NTLM relay attack?

It occurs when an attacker intercepts an authentication attempt and relays it to another server to gain access without knowing the victim’s password.

Can NTLM be re-enabled after Phase 3?

Yes, it can be explicitly re-enabled through policy controls, but this should only be a temporary fallback during remediation, not a long-term strategy

When will NTLM be disabled by default?

Phase 1 auditing is available now. Phase 2 compatibility fixes (IAKerb and Local Key Distribution Center) arrive in H2 2026 for Windows Server 2025 and Windows 11 24H2. Phase 3, NTLM disabled by default, is tied to the next major Windows Server Long-Term Servicing Channel (LTSC) release, but Microsoft has not published a specific date. Additionally, NTLMv1 enforcement changes are scheduled for October 2026, representing the nearest hard deadline requiring action.

What should MSPs do to prepare for NTLM deprecation?

Start immediately with Phase 1: enable enhanced NTLM auditing across all client environments to identify where the protocol is still in use. Build a dependency inventory, contact application vendors, and begin testing NTLM-off configurations in non-production environments. The October 2026 NTLMv1 enforcement change is the nearest hard deadline requiring action. Treat the NTLM deprecation timeline as a project across all clients, not a single migration, and use it as an opportunity to offer auditing and Kerberos migration as a billable service.

About
Latest Posts

Milena Baghdasaryan

Content Specialist at PowerDMARC

Milena is a skilled writer and content creator with 7+ years of experience in crafting engaging content on IT, cybersecurity, virtual events, and more. She has a proven track record of delivering high-quality work for international magazines and is a graduate of prestigious institutions such as New York University Abu Dhabi, UWC China, and the College of Europe.

Latest posts by Milena Baghdasaryan (see all)

NTLM Deprecation: What Microsoft’s Phaseout Means for MSPs and IT Teams - May 8, 2026
DMARC Aggregate Reports Explained: What They Are, What They Contain & How to Use Them - May 6, 2026
Sendmarc Review: Features, User Experiences, Pros & Cons (2026) - April 22, 2026

NTLM Deprecation: What Microsoft’s Phaseout Means for MSPs and IT Teams