DMARC for Microsoft 365

A step-by-step guide to setting up SPF, DKIM, and DMARC for organisations using Microsoft 365 (Exchange Online). Microsoft provides built-in support for email authentication, but you need to configure the DNS records and enable DKIM signing.

Step 1: Configure SPF

Microsoft 365 requires an SPF record that authorises their mail servers. Add this TXT record to your domain’s DNS:

Type:TXT
Host/Name:@
Value:v=spf1 include:spf.protection.outlook.com -all
TTL:3600 (or default)
Multiple sending services?
Add other includes alongside Microsoft’s. Example with Mailchimp:
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all

Watch the 10-lookup limit — Microsoft’s include uses 2–3 lookups.

Step 2: Configure DKIM

Microsoft 365 can sign outgoing emails with DKIM using your custom domain. This requires publishing two CNAME records and enabling signing in the admin portal.

Add DKIM CNAME Records to DNS

Add two CNAME records that point to Microsoft’s DKIM key hosting:

Record 1:
Type:CNAME
Host/Name:selector1._domainkey
Value:selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com

Record 2:

Type:CNAME
Host/Name:selector2._domainkey
Value:selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
💡 Replace your domain: In the CNAME values, replace yourdomain-com with your actual domain using hyphens instead of dots. For example, example.com becomes example-com.

Enable DKIM Signing in Microsoft 365

  1. Go to the Microsoft Defender portal (security.microsoft.com)
  2. Navigate to Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM
  3. Select your custom domain
  4. Toggle “Sign messages for this domain with DKIM signatures” to Enabled
  5. If you get an error about CNAME records, wait for DNS propagation and try again
Why two selectors? Microsoft uses two selectors for automatic key rotation. When Microsoft rotates the DKIM key, it switches from selector1 to selector2 (and vice versa) without any downtime.

Step 3: Configure DMARC

Add a DMARC record to start monitoring:

Type:TXT
Host/Name:_dmarc
Value:v=DMARC1; p=none; rua=mailto:your-selector@dmarccloud.com; adkim=r; aspf=r
TTL:3600

Use our DMARC Record Generator to customise your record. Start with p=none and progress to enforcement once reports confirm everything is clean. See Moving from p=none to p=reject.

Verify Your Setup

  1. Use our Domain Checker to verify all three records
  2. Send a test email to an external Gmail account
  3. In Gmail, click the three dots → “Show original”
  4. Look for spf=pass, dkim=pass, and dmarc=pass

Common Microsoft 365 Issues

DKIM CNAME not resolving
The most common cause is incorrect formatting. The host should be just selector1._domainkey, not selector1._domainkey.yourdomain.com (most DNS providers append the domain automatically).
SPF alignment failing for shared mailboxes
Shared mailboxes and distribution groups send through the same Exchange Online infrastructure and are covered by the same SPF record. If failing, check that the “Send As” address matches your domain.
Emails from on-premises Exchange (hybrid)
If you have a hybrid Exchange setup, on-premises servers also need to be included in SPF. Add the public IP of your on-premises mail server: ip4:YOUR.SERVER.IP.
Microsoft 365 built-in DMARC handling
Microsoft 365 now has a built-in DMARC management feature in the Defender portal. This can complement but does not replace publishing your own DNS records. You still need the TXT records in DNS.

Summary Checklist

  • ☐ SPF TXT record at @ with include:spf.protection.outlook.com
  • ☐ Only one SPF record per domain
  • ☐ DKIM CNAME records: selector1._domainkey and selector2._domainkey
  • ☐ DKIM signing enabled in Microsoft Defender portal
  • ☐ DMARC TXT record at _dmarc with p=none
  • ☐ Test email confirms SPF PASS, DKIM PASS, DMARC PASS
  • ☐ Aggregate reports arriving after 24–48 hours