How to Set Up DMARC for Microsoft 365 (Office 365 Guide)

Complete step-by-step guide to configure SPF, DKIM, and DMARC for Microsoft 365. Includes DNS record examples and troubleshooting tips.

December 15, 2025
9 min read
Share:
How to Set Up DMARC for Microsoft 365 (Office 365 Guide)

Introduction

Microsoft 365 (formerly Office 365) is one of the world's most popular business email platforms. While Microsoft provides excellent email infrastructure, configuring proper authentication (SPF, DKIM, DMARC) is critical for security and deliverability.

This guide walks you through complete email authentication setup for Microsoft 365, including important differences from other platforms.

What you'll learn:

  • Configure SPF for Microsoft 365
  • Enable DKIM signing (not enabled by default!)
  • Implement DMARC policy
  • Handle third-party senders
  • Test and verify configuration

Time required: 45-60 minutes

Important: DKIM is NOT Enabled by Default

Unlike Google Workspace, Microsoft 365 does NOT enable DKIM by default. You must manually enable it, even if you're not using custom domains. This is a common source of authentication failures.

Prerequisites

Before starting, ensure you have:

  • ✅ Microsoft 365 admin access
  • ✅ Global Administrator or Exchange Administrator role
  • ✅ Access to your domain's DNS management
  • ✅ List of third-party email services you use

Step 1: Configure SPF for Microsoft 365

1.1: Check Existing SPF Record

First, verify if you have an existing SPF record:

Using our tool: Check SPF Record →

Using PowerShell:

Resolve-DnsName -Name yourdomain.com -Type TXT

1.2: Create SPF Record

For domains using only Microsoft 365:

Create a TXT record at your DNS provider:

  • Name/Host: @ or yourdomain.com
  • Type: TXT
  • Value: v=spf1 include:spf.protection.outlook.com -all

For domains using Microsoft 365 + other services:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:sendgrid.net ~all

1.3: Microsoft 365 SPF Best Practices

Use the correct include

  • For Exchange Online: include:spf.protection.outlook.com
  • NOT include:outlook.com (common mistake)

Choose the right all qualifier

  • -all: Hard fail (strictest, recommended)
  • ~all: Soft fail (more lenient)

Watch the 10 lookup limit

  • include:spf.protection.outlook.com counts as 1 lookup
  • Monitor total lookups: SPF Checker

Common SPF mistakes:

❌ Wrong:

v=spf1 include:outlook.com -all

✅ Correct:

v=spf1 include:spf.protection.outlook.com -all

1.4: Verify SPF

Wait 15-30 minutes for DNS propagation, then verify:

Verify SPF →

Or send a test email and check headers for spf=pass.

Step 2: Enable DKIM for Microsoft 365

Critical: DKIM is disabled by default in Microsoft 365. You must enable it manually.

2.1: Create DKIM Keys in Microsoft 365 Admin Center

Method 1: Using Microsoft 365 Defender Portal (Recommended)

  1. Go to Microsoft 365 Defender

  2. Navigate to Email & Collaboration

    • Click "Policies & rules"
    • Click "Threat policies"
    • Click "Email authentication settings"
    • Click "DKIM"

  3. Select Your Domain

    • Click on your domain name
    • Note the two CNAME records displayed

Method 2: Using Exchange Admin Center

  1. Go to Exchange Admin Center

  2. Navigate to Mail Flow → DKIM

    • Find your domain in the list
    • Click on it to view CNAME records

2.2: DKIM DNS Records for Microsoft 365

Microsoft 365 requires two CNAME records (not TXT records like most providers).

You'll see something like:

CNAME 1:

  • Name: selector1._domainkey
  • Points to: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

CNAME 2:

  • Name: selector2._domainkey
  • Points to: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Important notes:

  • Microsoft uses two selectors for key rotation
  • Replace yourdomain-com with your actual domain (dots become dashes)
  • Replace yourtenant with your Microsoft 365 tenant name

2.3: Add DKIM Records to DNS

At your DNS provider, create two CNAME records exactly as shown in the Microsoft portal.

Example for domain example.com:

Name: selector1._domainkey
Type: CNAME
Value: selector1-example-com._domainkey.contoso.onmicrosoft.com

Name: selector2._domainkey
Type: CNAME
Value: selector2-example-com._domainkey.contoso.onmicrosoft.com

Common DNS provider formats:

Provider Name Format
GoDaddy selector1._domainkey
Cloudflare selector1._domainkey
Namecheap selector1._domainkey
Google Domains selector1._domainkey.yourdomain.com

2.4: Enable DKIM Signing

After adding DNS records:

  1. Wait for DNS propagation (15-60 minutes)

  2. Return to Microsoft 365 Defender

    • Email authentication settings → DKIM
    • Find your domain
    • Toggle "Sign messages for this domain with DKIM signatures" to Enabled

  3. Verify Status

    • Status should change to "Enabled"
    • If error appears, verify CNAME records and wait longer

Troubleshooting tip: If enabling fails, use nslookup to verify CNAME records:

nslookup -type=CNAME selector1._domainkey.yourdomain.com

2.5: Verify DKIM

Option 1: Use our tool DKIM Checker →

  • Enter domain
  • Try selectors: selector1 and selector2

Option 2: Send test email

  1. Send email from Microsoft 365
  2. View email headers
  3. Look for dkim=pass with both selectors

Step 3: Implement DMARC Policy

3.1: Create DMARC Record

Start with monitoring (p=none):

Create TXT record at your DNS provider:

  • Name: _dmarc
  • Type: TXT
  • Value:
    v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

DMARC tags explained:

  • v=DMARC1: DMARC version
  • p=none: Monitor only (no enforcement)
  • rua=mailto:...: Aggregate reports email
  • fo=1: Send forensic reports on failures

3.2: Set Up Report Collection

Option 1: Microsoft 365 Mailbox

  • Create mailbox: dmarc@yourdomain.com
  • Reports arrive as XML attachments
  • Requires manual parsing

Option 2: Use DMARC Service

3.3: Progressive DMARC Policies

After 2-4 weeks of monitoring:

Quarantine policy:

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r

Reject policy (maximum protection):

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r

3.4: Verify DMARC

DMARC Checker →

Or use command line:

nslookup -type=TXT _dmarc.yourdomain.com

Step 4: Handle Third-Party Senders

Microsoft 365 users often send email through additional services.

4.1: Common Third-Party Services

Marketing platforms:

  • Mailchimp: Add to SPF + configure DKIM
  • HubSpot: Add to SPF + enable DKIM
  • SendGrid: Add to SPF + configure DKIM

CRM and support:

  • Dynamics 365: Usually included in Microsoft 365 SPF
  • Salesforce: Add to SPF
  • Zendesk: Configure custom domain

Transactional email:

  • SendGrid, Mailgun, AWS SES: Require SPF + DKIM setup

4.2: Configuring Third-Party Services

For each service:

  1. Add to SPF record

    v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ~all

  2. Configure DKIM at the service

    • Generate DKIM keys in service settings
    • Add DKIM DNS records (usually TXT or CNAME)
    • Enable DKIM signing

  3. Test thoroughly before production use

Step 5: Microsoft 365 Specific Considerations

5.1: Hybrid Deployments (On-Premises + Cloud)

If you have hybrid Exchange:

SPF record should include both:

v=spf1 include:spf.protection.outlook.com ip4:YOUR_ONPREM_IP ~all

DKIM: Enable for Exchange Online (cloud) portion

DMARC: Monitor carefully during migration

5.2: Multiple Domains

For multiple domains in Microsoft 365:

  • Configure SPF for each domain
  • Enable DKIM for each domain (separate CNAME records)
  • Implement DMARC per domain

5.3: Shared Mailboxes

Shared mailboxes send from the same domain—no special SPF/DKIM configuration needed.

5.4: Mail Flow Rules

If you use mail flow rules (transport rules) that modify messages, be aware:

  • DKIM signatures may break if content changes
  • Test thoroughly after creating rules

Step 6: Testing and Verification

6.1: Send Test Emails

Test internal Microsoft 365 email:

  1. Send between M365 users
  2. Check headers for authentication results

Test external delivery:

  1. Send to Gmail, Yahoo, Outlook.com
  2. Verify spf=pass, dkim=pass, dmarc=pass

6.2: Check Headers

In Outlook desktop/web:

  1. Open email
  2. File → Properties (desktop) or View → View message details (web)
  3. Look for Authentication-Results header

What you want to see:

Authentication-Results: spf=pass; dkim=pass; dmarc=pass

6.3: Use Testing Tools

Mail-tester.com:

  • Send email to provided address
  • Get spam score (target: 10/10)

Our tools:

Troubleshooting Common Issues

Issue: DKIM won't enable

Symptoms: Error when trying to enable DKIM in portal

Causes:

  • CNAME records not published
  • DNS propagation not complete
  • Incorrect CNAME values

Solution:

  1. Verify both CNAME records with nslookup
  2. Wait 1-2 hours for DNS propagation
  3. Check for typos in CNAME values
  4. Try again

Issue: SPF fails for Microsoft 365 emails

Symptoms: spf=fail or spf=softfail in headers

Causes:

  • Using wrong SPF include
  • Missing SPF record entirely
  • SPF record syntax error

Solution:

  • Verify SPF includes spf.protection.outlook.com
  • Check for typos in SPF record
  • Use SPF Checker to validate

Issue: DMARC alignment fails

Symptoms: SPF and DKIM pass, but DMARC fails

Causes:

  • "From" address doesn't match authenticated domain
  • Using non-aligned alias or shared mailbox
  • Third-party service not configured correctly

Solution:

Microsoft 365 vs Google Workspace Differences

Feature Microsoft 365 Google Workspace
DKIM Default Disabled Enabled
DKIM Records 2 CNAME records 1 TXT record
Selectors selector1, selector2 google (or custom)
SPF Include spf.protection.outlook.com _spf.google.com
Admin Portal Defender or Exchange Admin Google Admin

The Bottom Line

Setting up email authentication for Microsoft 365 requires:

  1. SPF: Add include:spf.protection.outlook.com to DNS
  2. DKIM: Manually enable (not default!) with two CNAME records
  3. DMARC: Start with p=none, monitor, then enforce

Key Microsoft 365 differences:

  • DKIM must be enabled manually
  • Uses CNAME records (not TXT) for DKIM
  • Requires two DKIM selectors
  • Different admin portals for configuration

Timeline:

  • Setup: 45-60 minutes
  • DNS propagation: 1-2 hours
  • Monitoring: 2-4 weeks
  • Full enforcement: 6-12 weeks

Next Steps

Verify your Microsoft 365 email security:

  1. Check SPF: SPF Checker →
  2. Verify DKIM: DKIM Checker →
  3. Test DMARC: DMARC Checker →
  4. Complete audit: Domain Score →

Need help with DMARC reports?

Microsoft 365 sends DMARC reports in XML format that's difficult to read. Our platform provides:

  • Automated parsing
  • Visual dashboards
  • Alerts for issues
  • Policy recommendations

Start free trial →

Related Articles:

Tags:microsoft-365office-365dmarc-setupoutlook

Ready to improve your email deliverability?

Start monitoring your DMARC reports and get insights into your email authentication setup.

Start Free Trial

Related Articles

Setting Up DMARC for AWS SES: Developer Guide
platform guides

Setting Up DMARC for AWS SES: Developer Guide

Technical guide for developers: Configure SPF, DKIM, and DMARC for Amazon SES. Includes CLI commands, code examples, and best practices.

December 15, 2025
8 min read
DMARC Setup for Zoho Mail: Complete Configuration Guide
platform guides

DMARC Setup for Zoho Mail: Complete Configuration Guide

Step-by-step guide to configure SPF, DKIM, and DMARC for Zoho Mail. Protect your domain and improve email deliverability with proper authentication.

December 15, 2025
4 min read
How to Set Up DMARC, SPF and DKIM for Constant Contact
platform guides

How to Set Up DMARC, SPF and DKIM for Constant Contact

Complete guide to configuring SPF, DKIM, and DMARC for Constant Contact. Fix authentication issues and improve email deliverability.

March 7, 2026
10 min read