Microsoft 365 (formerly Office 365) is one of the most widely used business email platforms. Configuring SPF, DKIM, and DMARC correctly ensures your emails are delivered reliably and protects your domain from being spoofed.
This guide covers the DNS records and configuration steps required for full email authentication with Microsoft 365.
SPF Configuration
Microsoft 365 uses a single SPF include that covers all of its sending infrastructure, including Exchange Online and Microsoft-hosted outbound mail servers.
DNS Record:
Type: TXT
Host: @
Value: v=spf1 include:spf.protection.outlook.com -all
If you have additional sending services, combine them into one record:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net ~all
Microsoft recommends -all (hard fail) rather than ~all (soft fail) for domains exclusively using Microsoft 365. If you're still configuring other services, use ~all until everything is in place.
Note: spf.protection.outlook.com typically consumes 2–3 DNS lookups. Verify your total with the SenderClarity SPF Checker.
DKIM Configuration
Microsoft 365 supports DKIM signing through the Defender portal. Unlike Google Workspace, Microsoft uses two CNAME records instead of TXT records for DKIM.
- Sign in to the Microsoft Defender portal (security.microsoft.com).
- Navigate to Email & Collaboration → Policies & Rules → Threat policies → Email authentication settings → DKIM.
- Select your domain.
- Microsoft will display two CNAME records to add to your DNS:
Type: CNAME
Host: selector1._domainkey
Value: selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
Type: CNAME
Host: selector2._domainkey
Value: selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
The exact values will include your specific domain name. Copy them directly from the Defender portal.
- Add both CNAME records to your DNS.
- Return to the Defender portal and toggle DKIM signing to Enabled.
Microsoft uses two selectors for key rotation. When a key is rotated, traffic shifts to the other selector automatically.
DMARC Configuration
Start with monitoring mode:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1
Once you've confirmed all legitimate mail passes SPF and DKIM via your DMARC reports, move toward enforcement:
p=quarantine; pct=25p=quarantine; pct=100p=reject
Verification
After configuring all three records:
- Check your SPF record →
- Send a test email from Outlook and check the message headers for
spf=pass,dkim=pass,dmarc=pass - Review DMARC aggregate reports in SenderClarity for any failing sources
Common Issues
DKIM toggle won't enable: The most common cause is DNS propagation delay. CNAME records can take up to 48 hours to propagate. If it still fails, double-check the CNAME host and value match exactly — even small typos (extra dots, wrong domain format) will prevent activation.
SPF failures from shared/delegated sending: If your organization uses Microsoft 365 shared mailboxes or Power Automate to send email, these should be covered by the standard SPF include. However, third-party connectors or relays may require additional SPF entries.
Emails from onmicrosoft.com subdomain: If users send from the default @yourdomain.onmicrosoft.com address instead of your custom domain, those messages won't align with your domain's DMARC policy. Ensure all users are configured to send from your custom domain.
SPF Lookup Impact
| Include | Estimated Lookups |
|---|---|
spf.protection.outlook.com |
2–3 |