How to Set Up DMARC for Microsoft 365

Microsoft 365 (formerly Office 365) handles DKIM signing through the Microsoft 365 Defender portal. SPF is configured via DNS, and Microsoft uses two rotating DKIM selectors (selector1 and selector2) for key rotation and redundancy.

This guide walks you through configuring SPF, DKIM, and DMARC for Microsoft 365 so your emails are fully authenticated and your domain is protected from spoofing. Proper configuration ensures your messages reach the inbox and comply with the requirements of Gmail, Yahoo, and Microsoft Outlook.

SPF Configuration

SPF (Sender Policy Framework) authorizes Microsoft 365's mail servers to send email on behalf of your domain. Add the following include directive to your existing SPF record:

v=spf1 include:spf.protection.outlook.com ~all

If you already have an SPF record with other include directives, add include:spf.protection.outlook.com before the ~all or -all mechanism. For example:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

Important: You can only have one SPF record per domain. If you have multiple sending services, combine all include directives into a single record. SPF also has a 10 DNS lookup limit - exceeding this will cause SPF to fail. Use our SPF Checker to verify your record stays within limits.

DKIM Configuration

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails, proving they were not altered in transit. For Microsoft 365, the DKIM selector(s) used are: selector1, selector2.

DKIM is configured by adding a TXT or CNAME record to your DNS at the selector subdomain (e.g., selector1._domainkey.yourdomain.com). The exact record value is generated by Microsoft 365 in their admin console or dashboard. Follow the provider-specific steps below to generate and publish your DKIM record.

After adding the DKIM record, use our DKIM Checker to verify the record is published correctly and the signature can be validated.

DMARC Record

Once SPF and DKIM are configured for Microsoft 365, publish a DMARC record to tie everything together. Add the following TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

Start with p=none to monitor authentication results without affecting mail delivery. The rua tag specifies where aggregate reports are sent, and fo=1 ensures you receive failure reports for any mechanism failure. After 2-4 weeks of monitoring, gradually move to p=quarantine and then p=reject for full protection.

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; fo=1

Step-by-Step Setup

Follow these Microsoft 365-specific steps to configure email authentication for your domain:

1. Sign in to the Microsoft 365 Defender portal at security.microsoft.com.
2. Navigate to Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM.
3. Select your domain and toggle 'Sign messages for this domain with DKIM signatures' to enabled.
4. Microsoft will provide two CNAME records (selector1._domainkey and selector2._domainkey) to add to your DNS.
5. Add both CNAME records to your DNS provider and wait for propagation.
6. Return to the Defender portal and confirm DKIM signing is active for your domain.
7. Verify your SPF record includes 'include:spf.protection.outlook.com' and ends with '-all' or '~all'.
8. Publish your DMARC record at _dmarc.yourdomain.com with p=none to begin monitoring.
9. Monitor DMARC aggregate reports for 2-4 weeks before increasing enforcement.

Verify Your Setup

After completing the configuration, use our free tools to verify that SPF, DKIM, and DMARC are all correctly configured for your domain:

• DMARC Checker - Validate your DMARC record syntax, policy, and reporting configuration.
• SPF Checker - Verify your SPF record includes all authorized senders and stays within the 10 DNS lookup limit.
• DKIM Checker - Confirm your DKIM public key is published correctly and can validate signatures.

If any of these checks fail, review the steps above and ensure all DNS records have fully propagated. DNS changes can take up to 48 hours, though most propagate within a few hours.

Continuous Monitoring with Inbox Insignia

Setting up DMARC is just the beginning. Email authentication requires ongoing monitoring to catch configuration drift, new sending sources, and authentication failures before they impact deliverability. Inbox Insignia provides automated DMARC monitoring, aggregate report parsing, and compliance scoring for all your domains.

to start monitoring your Microsoft 365 email authentication and receive alerts when your SPF, DKIM, or DMARC configuration needs attention.