This guide walks you through adding DMARC, SPF, and DKIM DNS records in Microsoft Azure DNS. Azure DNS is commonly used by organisations running workloads on Azure, often in conjunction with Microsoft 365 for email.
📋 Before You Start
Make sure you have:
- An Azure account with access to your subscription
- A DNS zone created for your domain in Azure DNS
- Appropriate RBAC role (at minimum, DNS Zone Contributor)
- Your DMARC record — use our DMARC Record Generator
- Your SPF record value from your email provider
Finding Your DNS Zone in Azure
- Log in to the Azure Portal at
portal.azure.com - Search for “DNS zones” in the top search bar
- Click on your domain name in the DNS zones list
- You’ll see an overview of your DNS zone with existing record sets
Step 1: Add Your DMARC Record
- In your DNS zone, click + Record set at the top
- Fill in the fields:
Name _dmarcType TXTTTL 3600(1 hour)Value v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com - Click OK to save
💡 Pro Tip
Azure DNS automatically creates the full DNS name. Enter just
Azure DNS automatically creates the full DNS name. Enter just
_dmarc in the Name field. Azure will display it as _dmarc.yourdomain.com in the record set list.
Step 2: Add or Update Your SPF Record
- Check for an existing SPF record: Look at the
@(root) TXT record set for a value starting withv=spf1 - If it exists: Click the record set → modify the value → click Save
- If not: Click + Record set and fill in:
Name @Type TXTTTL 3600Value v=spf1 include:spf.protection.outlook.com ~all - Click OK
⚠️ Common Mistake
Azure DNS allows multiple values in a single TXT record set. This is different from having multiple TXT record sets. Your SPF record should be a single value within the
Azure DNS allows multiple values in a single TXT record set. This is different from having multiple TXT record sets. Your SPF record should be a single value within the
@ TXT record set. Don’t create a separate TXT record set with the same name. See SPF Record Syntax.
Step 3: Add DKIM Records
- Get your DKIM record from your email provider
- Click + Record set
- For Name, enter the DKIM selector (e.g.
selector1._domainkeyfor Microsoft 365) - Set Type to
CNAME(Microsoft 365 uses CNAME for DKIM) orTXT(other providers) - Enter the value from your email provider
- Click OK
💡 Microsoft 365 DKIM
Microsoft 365 uses two CNAME records for DKIM:
Microsoft 365 uses two CNAME records for DKIM:
selector1._domainkey and selector2._domainkey. Both point to selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com (with dots replaced by dashes). See DMARC for Microsoft 365 for full details.
Alternative: Using Azure CLI
You can also manage DNS records with the Azure CLI:
# Add DMARC record
az network dns record-set txt add-record \
--resource-group myResourceGroup \
--zone-name yourdomain.com \
--record-set-name _dmarc \
--value "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
# Add SPF record
az network dns record-set txt add-record \
--resource-group myResourceGroup \
--zone-name yourdomain.com \
--record-set-name @ \
--value "v=spf1 include:spf.protection.outlook.com ~all"
💡 Pro Tip: PowerShell
If you prefer PowerShell, use
If you prefer PowerShell, use
New-AzDnsRecordSet and Add-AzDnsRecordConfig from the Az.Dns module. This is common in enterprise environments using automation.
Azure DNS Tips
✅ Fast Propagation
Azure DNS changes propagate quickly — typically within a few minutes, depending on the TTL of the previous record.
Azure DNS changes propagate quickly — typically within a few minutes, depending on the TTL of the previous record.
✅ Infrastructure as Code
Azure DNS integrates with ARM templates, Bicep, and Terraform (
Azure DNS integrates with ARM templates, Bicep, and Terraform (
azurerm_dns_txt_record). Great for version-controlled DNS management.
💡 RBAC Permissions
You need the DNS Zone Contributor role (or equivalent custom role) to add records. Check with your Azure administrator if you get a permissions error.
You need the DNS Zone Contributor role (or equivalent custom role) to add records. Check with your Azure administrator if you get a permissions error.
💡 Resource Group
Azure DNS zones live in resource groups. Make sure you’re looking in the correct subscription and resource group for your domain’s zone.
Azure DNS zones live in resource groups. Make sure you’re looking in the correct subscription and resource group for your domain’s zone.
Verify Your Records
- Use the Domain Checker to verify all records
- In Azure Portal, check the record set to confirm the values are correct
- From CLI:
az network dns record-set txt show --resource-group myRG --zone-name yourdomain.com --name _dmarc - Send a test email and verify the headers show SPF/DKIM/DMARC pass
What’s Next?
- Set up Microsoft 365 email auth: DMARC for Microsoft 365
- Understand your record: DMARC Record Explained
- Plan enforcement: Moving from p=none to p=reject
- Generate your record: DMARC Record Generator