When integrating Office 365 email services with existing SMTP providers like Mandrill, administrators often face SPF record configuration challenges. Both services require specific SPF records in your DNS zone:

Office 365 requires: v=spf1 include:spf.protection.outlook.com -all
Mandrill requires: v=spf1 include:spf.mandrillapp.com ?all

DNS protocol only allows one SPF record per domain. Having multiple records violates RFC 7208 and causes unpredictable behavior:

• Some DNS servers might return only one record randomly
• Email receivers may treat this as invalid configuration
• SPF validation can fail for legitimate emails

You need to merge both SPF mechanisms into a single record:

v=spf1 include:spf.protection.outlook.com include:spf.mandrillapp.com -all

Key considerations for the combined record:

1. Maintain the order of includes (security-critical services first)
2. Use -all for strict enforcement after including all authorized senders
3. Keep the record under 255 characters to avoid DNS lookup issues

After implementation, verify your SPF record with these tools:

nslookup -type=txt yourdomain.com
dig txt yourdomain.com

For email testing, send test messages from both Office 365 and Mandrill, then check the received headers for SPF results.

If you have more than 5-6 email senders, consider SPF flattening techniques:

v=spf1 ip4:192.0.2.0/24 ip6:2001:db8::/32 include:_spf.yourdomain.com -all

Where _spf.yourdomain.com contains additional includes and can be updated more frequently without changing your main SPF record.

• Using multiple all mechanisms in one record
• Mixing different qualifiers (-, ~, ?, +) inconsistently
• Exceeding the 10-DNS-lookup limit for SPF evaluation
• Forgetting to update SPF when adding new email services

When integrating Office 365 with existing email infrastructure like Mandrill, many administrators encounter the challenge of managing multiple SPF records. The core issue arises when both services require their own SPF entries in your DNS zone:

v=spf1 include:spf.protection.outlook.com -all  (Office 365)
v=spf1 include:spf.mandrillapp.com ?all       (Mandrill)

DNS specifications (RFC 7208) explicitly state that a domain should have only one SPF record. Having multiple records can lead to:

• Email delivery failures
• SPF validation inconsistencies
• Potential security vulnerabilities

The solution is to combine both SPF mechanisms into a single record. Here's the proper format:

v=spf1 include:spf.protection.outlook.com include:spf.mandrillapp.com -all

For a domain using both Office 365 and Mandrill, your DNS TXT record should look like this:

example.com. IN TXT "v=spf1 include:spf.protection.outlook.com include:spf.mandrillapp.com -all"

After implementation, verify your SPF record using these tools:

• Microsoft's Remote Connectivity Analyzer
• MXToolbox SPF Record Checker

For complex email environments, you might need additional includes:

v=spf1 include:spf.protection.outlook.com include:spf.mandrillapp.com 
include:_spf.google.com ip4:192.0.2.0/24 -all

Remember that SPF records have a 255-character limit and 10-lookup limit. Use the redirect mechanism if your SPF becomes too complex:

v=spf1 redirect=_spf.example.com