How to Set Up DMARC, DKIM & SPF for Microsoft 365

Microsoft 365 Email Authentication Setup

Microsoft 365 (formerly Office 365) requires proper configuration of SPF, DKIM, and DMARC for secure email authentication. This guide covers the complete setup process.

SPF for Microsoft 365

Create Your SPF Record

Add this TXT record to your domain's root:

v=spf1 include:spf.protection.outlook.com ~all

With additional services:

v=spf1 include:spf.protection.outlook.com include:sendgrid.net ~all

DKIM for Microsoft 365

Microsoft 365 uses CNAME records for DKIM, not TXT records.

Enable DKIM

  1. Go to Microsoft 365 Defender portal
  2. Navigate to Email & Collaboration → Policies & Rules → Threat policies
  3. Under Email Authentication Settings, select DKIM
  4. Select your domain
  5. Click "Create DKIM keys"

Add CNAME Records

Microsoft provides two CNAME records:

Record 1:

  • Host: selector1._domainkey
  • Points to: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Record 2:

  • Host: selector2._domainkey
  • Points to: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Activate DKIM Signing

  1. After DNS propagation (can take hours)
  2. Return to DKIM settings in Defender portal
  3. Toggle "Sign messages for this domain with DKIM signatures" to enabled

DMARC for Microsoft 365

Create DMARC Record

Add TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Verification

Check Headers

  1. Send test email to an external Gmail account
  2. View message headers
  3. Look for authentication-results showing pass for SPF, DKIM, DMARC

Microsoft Message Header Analyzer

Use Microsoft's Message Header Analyzer tool to analyze email headers.

Common Issues

DKIM Won't Enable

  • CNAME records take time to propagate
  • Verify CNAME values exactly match Microsoft's provided records
  • Check for conflicting TXT records at the same subdomain

Hybrid Configuration

If using hybrid Exchange, ensure on-premises servers are also configured for authentication.

Multi-Domain Setup

Each domain needs its own SPF, DKIM, and DMARC configuration. Repeat for each accepted domain.

For more guidance, see our Email Authentication Complete Guide.

📋 Need a printable guide? Download our Email Authentication Checklist to track your implementation progress.

0 comments

Leave a comment

Please note, comments need to be approved before they are published.