Loading
A step-by-step guide to configuring SPF, DKIM, and DMARC for your Microsoft 365 environment. Protect your organization from domain spoofing and ensure your emails reach their destination.
Get Professional Setup HelpBefore you begin, make sure you have the following:
SPF tells receiving mail servers which IP addresses are authorized to send email for your domain. Microsoft 365 requires a specific SPF record to authenticate emails sent through its servers.
Add a TXT record to your DNS with the following value:
If you use additional email-sending services, add them before the -all directive. For example, if you also use Mailchimp and Salesforce:
Type
TXT
Host/Name
@
TTL
3600
Microsoft 365 supports DKIM signing out of the box, but you need to enable it for your custom domain and publish the DKIM keys in your DNS. By default, Microsoft uses its own domain for DKIM signing, which does not align with your custom domain for DMARC purposes.
Add these two CNAME records at your DNS provider (replace yourdomain.com with your actual domain):
Record 1
Host: selector1._domainkey
Points to: selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
Record 2
Host: selector2._domainkey
Points to: selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
Wait for DNS propagation (up to 48 hours, but usually under 1 hour), then return to the Microsoft 365 Defender portal and toggle DKIM signing to Enabled for your domain. Microsoft will now sign all outbound emails with your custom domain DKIM key.
With SPF and DKIM in place, you can now deploy DMARC. This is the policy layer that tells receiving servers what to do when emails fail authentication and sends you reports about your email traffic.
Always begin with p=none to monitor your email authentication without impacting delivery. Add this TXT record to your DNS:
DNS Record Details
Type: TXT
Host/Name: _dmarc
TTL: 3600
Record Breakdown
Once your DMARC record is live with p=none, receiving servers will start sending you aggregate reports (typically daily). These XML reports show every source sending email using your domain and whether each source passed or failed SPF and DKIM.
Tip: Raw DMARC XML reports are difficult to read manually. Consider using a DMARC reporting tool or service to parse and visualize the data. Monitor for at least 2-4 weeks before progressing to enforcement.
Once you have confirmed all legitimate email sources pass authentication, gradually increase your DMARC enforcement level.
Send 25% of failing emails to spam. Monitor for 1-2 weeks to check for any legitimate email being quarantined.
All failing emails go to spam. Monitor for another 1-2 weeks before moving to reject.
Full protection. Emails that fail authentication are blocked entirely and never reach the recipient.
Beyond DMARC, Microsoft 365 offers additional security features you should configure to maximize protection.
The CNAME records may not have propagated yet. Wait up to 48 hours and try again. Verify the CNAME records are published correctly using a DNS lookup tool. Ensure there are no typos in the record hostnames or values.
If you have many third-party senders, your SPF record may exceed the 10 DNS lookup limit. Consider using an SPF flattening tool or service, consolidating senders, or using subdomains for different services.
Verify your records using an email authentication testing tool. Check that all sending services are included in your SPF record. Confirm DKIM is signing with your custom domain (not the default Microsoft domain). Review DMARC reports for alignment failures.
Our team specializes in configuring email authentication for Microsoft 365 environments. We handle the full setup, monitoring, and enforcement progression so you can focus on your business.
Explore Our Email Security ServicesOne email per month with our best articles. No spam.