How to Set Up DMARC for Microsoft 365 (Office 365)
Step-by-step guide to configuring DMARC for Microsoft 365. Learn how to enable DKIM, configure SPF, and add your DMARC record.
Setting up DMARC for Microsoft 365 requires configuring SPF, enabling DKIM signing, and publishing your DMARC record. This guide covers each step for custom domains in Microsoft 365.
Prerequisites
Before starting, ensure you have:
- Microsoft 365 admin access
- A custom domain added to Microsoft 365
- Access to your domain's DNS settings
- DNS hosting (either at Microsoft or external)
Step 1: Configure SPF for Microsoft 365
Microsoft 365 needs SPF configured to authorize their mail servers for your domain.
Check Your Current SPF
Use SPF Record Check to see your current SPF configuration.
Add or Update Your SPF Record
Your SPF record should include Microsoft 365:
v=spf1 include:spf.protection.outlook.com ~all
If you have other sending services:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net ~all
Add this as a TXT record at your root domain.
One SPF record only
You can only have one SPF record per domain. Merge all include statements into a single record.
Step 2: Enable DKIM in Microsoft 365
DKIM signing in Microsoft 365 requires publishing CNAME records and enabling signing in the admin portal.
Get Your DKIM CNAME Records
Microsoft 365 uses two CNAME records for DKIM:
Selector 1:
| Field | Value |
|---|---|
| Type | CNAME |
| Host | `selector1._domainkey` |
| Points to | `selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com` |
Selector 2:
| Field | Value |
|---|---|
| Type | CNAME |
| Host | `selector2._domainkey` |
| Points to | `selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com` |
Replace:
yourdomain-comwith your domain (dots become dashes)yourtenantwith your Microsoft 365 tenant name
Add the CNAME Records to DNS
Add both CNAME records to your DNS. The exact format varies by DNS provider.
Enable DKIM Signing
- Go to the Microsoft 365 Defender portal
- Navigate to Email & collaboration → Policies & rules → Threat policies
- Click Email authentication settings → DKIM
- Select your domain
- Toggle Sign messages for this domain with DKIM signatures to On
If the toggle fails, verify your CNAME records are correctly published and have propagated.
Verify DKIM Is Working
Use DKIM Test with selector selector1 or selector2 to verify your DKIM configuration.
Step 3: Add Your DMARC Record
With SPF and DKIM configured, add your DMARC record.
Start with Monitoring
Begin with a monitoring-only policy:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Add the DMARC TXT Record
Add a TXT record at _dmarc.yourdomain.com:
| Field | Value |
|---|---|
| Type | TXT |
| Host/Name | `_dmarc` |
| Value | `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com` |
| TTL | 3600 |
Verify Your Record
Step 4: Monitor and Enforce
Review Reports
Monitor your DMARC reports for 2-4 weeks. Look for:
- All Microsoft 365 email passing authentication
- Any third-party services failing
- Unexpected sending sources
Progress to Enforcement
Once verified:
Quarantine:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
Reject:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
DNS Hosting in Microsoft 365
If Microsoft hosts your DNS (domain purchased through Microsoft or DNS delegated to Microsoft):
- Go to Microsoft 365 admin center
- Navigate to Settings → Domains
- Select your domain
- Click DNS records
- Add TXT records for SPF and DMARC here
For DKIM, Microsoft may auto-configure the records if they host your DNS.
Third-Party Email Services
If other services send email as your domain:
SPF Updates
Add their servers to your SPF record:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net include:mailchimp.com ~all
DKIM for Third Parties
Configure each service to sign with your domain. This usually involves:
- Adding CNAME or TXT records they provide
- Enabling authentication in their settings
Check each service's documentation for specific instructions.
Troubleshooting
DKIM Won't Enable
Common causes:
- CNAME records not yet propagated (wait up to 48 hours)
- Incorrect CNAME format (check hostname and target)
- DNS provider doesn't support the required record format
Verify records with:
nslookup -type=CNAME selector1._domainkey.yourdomain.com
SPF Fails
- Verify
include:spf.protection.outlook.comis in your record - Check for duplicate SPF records
- Ensure no syntax errors
DMARC Alignment Issues
Microsoft 365 uses your domain for:
- Return-Path (SPF alignment)
- DKIM signing domain (DKIM alignment)
Both should align automatically. If alignment fails:
- Verify DKIM is signing with your domain, not onmicrosoft.com
- Check the From address matches your custom domain
Reports Not Arriving
- Verify the rua email address exists
- Check if the mailbox is on Microsoft 365 (reports may be filtered)
- Create a rule to prevent DMARC reports from going to junk
Complete Setup Checklist
- [ ] SPF record includes
spf.protection.outlook.com - [ ] DKIM CNAME records added (selector1 and selector2)
- [ ] DKIM enabled in Microsoft 365 Defender portal
- [ ] DKIM verification passes
- [ ] DMARC record added at
_dmarc.yourdomain.com - [ ] Test email shows DMARC pass in headers
- [ ] Reports arriving at rua address
- [ ] Third-party services configured (if applicable)
Monitor Your DMARC Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DMARC issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring