SPF, DKIM, and DMARC for Microsoft 365: complete setup guide
A complete walkthrough for publishing SPF, DKIM, and DMARC on a Microsoft 365 (Exchange Online) tenant, plus the four behaviours that trip up almost every tenant: SPF include depth, custom-domain DKIM, mail-enabled groups, and connector-routed mail.
TL;DR
- 1 SPF: publish v=spf1 include:spf.protection.outlook.com -all. The include counts as 2 of your 10 DNS lookups.
- 2 DKIM: enable custom-domain DKIM in the Defender portal and publish the two selector1/selector2 CNAMEs, or mail signs with onmicrosoft.com and never aligns.
- 3 DMARC: start at p=none with rua, watch reports, then ramp to p=quarantine and p=reject.
Watch
Publish SPF, enable DKIM (selector1/selector2 CNAMEs) in the Defender portal, add DMARC, and ramp.
What it does
This guide gets all three email-authentication records live for a Microsoft 365 tenant. SPF authorises Microsoft's outbound servers to send as your domain, DKIM cryptographically signs your mail with a key under your own domain, and DMARC ties them together with an alignment check and tells receivers what to do on failure.
Microsoft 365 (Exchange Online + Defender for Office 365) handles outbound DKIM signing for your custom domain only if you explicitly enable it per-domain in the Defender portal. If you skip this step, every message you send signs with d=tenant.onmicrosoft.com, which can never align with your From: domain, so DMARC fails on DKIM.
Inbound DMARC behaviour changed materially in 2024: Microsoft now honours p=quarantine and p=reject on inbound messages (it used to silently downgrade to spam-fold). Separately, Microsoft's bulk-sender requirements (effective May 5 2025) route high-volume mail (5,000+/day) that fails SPF/DKIM/DMARC to the Junk folder rather than bouncing it, so non-compliant senders to M365 mailboxes land in Junk.
Step 1: Set up SPF for Microsoft 365
Microsoft 365 sends through a fixed set of Exchange Online servers, all covered by one include. You add that include to a single SPF TXT record at your domain apex.
-
1
Publish a TXT record at your domain apex (yourdomain.com) with the value: v=spf1 include:spf.protection.outlook.com -all
-
2
If you also send from other services (a CRM, a marketing platform, a help desk), add each one's include to the same single SPF record. You can only have one SPF TXT record per domain.
-
3
Use a hard fail (-all) once you are confident every legitimate sender is listed. Use a soft fail (~all) while you are still discovering senders.
spf.protection.outlook.com expands to 2 DNS lookups, leaving 8 of your 10-lookup budget for everything else. Adding Mimecast, Proofpoint, and a few SaaS includes can blow the limit and cause a PermError. Use the SPF lookup tool to count, and flatten if needed.
Step 2: Set up DKIM for Microsoft 365
Custom-domain DKIM is OFF by default on Microsoft 365. You publish two CNAMEs, then flip DKIM signing on in the Defender portal. Microsoft hosts the actual keys, so you publish CNAMEs that point at Microsoft, not the key text itself.
Selector: selector1 and selector2 (Microsoft uses two selectors and rotates between them)
-
1
In the Microsoft Defender portal, go to Email & collaboration -> Policies & rules -> Threat policies -> Email authentication settings -> DKIM, and select your custom domain. (Verify the exact menu path in your current portal -- Microsoft renames these panels periodically.)
-
2
The portal shows two CNAME records to publish: selector1._domainkey.yourdomain and selector2._domainkey.yourdomain, each pointing at a selector1-/selector2- host under your tenant's onmicrosoft.com domain.
-
3
Publish both CNAMEs in your DNS exactly as shown. The targets embed your domain (dashed) and your tenant prefix.
-
4
Wait for DNS to propagate (around 30 minutes), then return to the DKIM panel and toggle 'Sign messages for this domain with DKIM signatures' to Enabled. The status flips to signing once the CNAMEs resolve.
-
5
Verify with the DKIM checker against selector1._domainkey.yourdomain.
Replace tenant with your real onmicrosoft.com prefix and yourdomain-com with your dashed domain. If the keys default to 1024-bit, rotate them to 2048-bit in the same DKIM panel.
Step 3: Publish DMARC
-
1
With SPF and DKIM both live and aligning, publish your DMARC record at _dmarc.yourdomain. Start at p=none so receivers report but take no action.
-
2
Add a rua address to collect daily aggregate reports. Microsoft's reports arrive from a protection.outlook.com sender.
-
3
Watch the reports for a couple of weeks. Confirm every legitimate sender (Exchange Online, your CRM, your marketing platform) is passing and aligned.
-
4
Move to p=quarantine, then to p=reject once the only remaining failures are unknown or spoofed sources. See the DMARC rollout playbook for the full ramp.
Example record
Common pitfalls
-
Forgetting to enable custom-domain DKIM. Outbound mail signs as tenant.onmicrosoft.com, never aligns, fails DMARC.
-
Hitting the SPF 10-lookup limit. spf.protection.outlook.com + Mimecast/Proofpoint + a few SaaS includes blows the budget. Flatten or remove rarely-used includes.
-
Mail-enabled security groups: when a member of a group sends to the group, Exchange rewrites the From, breaking alignment for downstream receivers. Use Modern Groups or shared mailboxes instead.
-
Connector-routed mail (third-party scanner -> M365 -> recipient) loses DKIM alignment if the scanner re-signs. Configure the connector to skip signing or pre-sign with your selector before routing.
FAQ
Why does my Microsoft 365 mail fail DMARC even with SPF passing?▾
Almost always because custom-domain DKIM was never enabled, so mail signs with d=tenant.onmicrosoft.com instead of your domain. SPF can pass while DKIM fails alignment, and forwarded mail breaks SPF, so you need aligned DKIM for a reliable DMARC pass. Enable DKIM in the Defender portal and publish the two selector CNAMEs.
Do I need both SPF and DKIM for Microsoft 365?▾
DMARC passes if either SPF or DKIM aligns, but you should set up both. DKIM survives forwarding and mailing lists where SPF breaks, so DKIM is the more robust of the two. SPF is still worth publishing as a second authenticated path and because some receivers weigh it.
What SPF record does Microsoft 365 need?▾
A single TXT record at your domain apex: v=spf1 include:spf.protection.outlook.com -all. Add any other sending services to the same record, and watch the 10-lookup limit because the Outlook include alone uses 2.
Where do I generate the DKIM key in Microsoft 365?▾
You do not paste a key. Microsoft hosts the keys and you publish two CNAMEs (selector1 and selector2) that point at your tenant's onmicrosoft.com domain, then toggle DKIM signing on in the Defender portal's email authentication settings. Verify the current menu path in your portal, as Microsoft renames these panels.