I may be missing something basic here but can someone explain if I used the recommended spf include statement (v=spf1 include:spf.protection.outlook.com -all( (see here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365...) for all exchange online deployment because its not specific to my domain rather generic to outlook.com wouldn't that mean that any other exchange online customer could spoof my domain? If they are also coming from that host being a exchange online user just like me
Only if you are sending via the ExO IP ranges, the ones listed when you expand spf.protection.outlook.com. Which Microsoft will only allow you to do for your own domain(s).
