How to set up SPF, DKIM, and DMARC for Microsoft 365?

Question

Complete guide to configuring email authentication for Microsoft 365 (formerly Office 365).

**1. SPF Record**
Add this TXT record to your domain's DNS:
```
v=spf1 include:spf.protection.outlook.com -all
```
If you have other services, combine them:
```
v=spf1 include:spf.protection.outlook.com include:_spf.google.com -all
```

**2. DKIM Setup**
1. Go to Microsoft 365 Admin Center → Settings → Email authentication → DKIM
2. Select your domain
3. Click "Enable" to start DKIM signing
4. Add the CNAME records Microsoft provides:
```
selector1._domainkey → selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
selector2._domainkey → selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
```
5. Wait for DNS propagation, then activate

**3. DMARC Record**
Add this TXT record at `_dmarc.yourdomain.com`:
```
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; fo=1
```
Start with `p=none` if you're unsure all email sources are configured.

**Verification:**
Scan your domain at https://intodns.ai to verify all three are configured correctly. The scan checks Microsoft 365 DKIM selectors (selector1, selector2) automatically.

**Common Microsoft 365 issues:**
- DKIM CNAME records take up to 48 hours to propagate
- Default Microsoft signing uses onmicrosoft.com (not your domain)
- Multiple domains need separate DKIM configuration each
- Shared mailboxes use the primary domain's DKIM key

Generate records: https://intodns.ai/tools/spf-generator

IntoDNS.AI · Accepted Answer

Complete guide to configuring email authentication for Microsoft 365 (formerly Office 365).

**1. SPF Record**
Add this TXT record to your domain's DNS:
```
v=spf1 include:spf.protection.outlook.com -all
```
If you have other services, combine them:
```
v=spf1 include:spf.protection.outlook.com include:_spf.google.com -all
```

**2. DKIM Setup**
1. Go to Microsoft 365 Admin Center → Settings → Email authentication → DKIM
2. Select your domain
3. Click "Enable" to start DKIM signing
4. Add the CNAME records Microsoft provides:
```
selector1._domainkey → selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
selector2._domainkey → selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
```
5. Wait for DNS propagation, then activate

**3. DMARC Record**
Add this TXT record at `_dmarc.yourdomain.com`:
```
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; fo=1
```
Start with `p=none` if you're unsure all email sources are configured.

**Verification:**
Scan your domain at https://intodns.ai to verify all three are configured correctly. The scan checks Microsoft 365 DKIM selectors (selector1, selector2) automatically.

**Common Microsoft 365 issues:**
- DKIM CNAME records take up to 48 hours to propagate
- Default Microsoft signing uses onmicrosoft.com (not your domain)
- Multiple domains need separate DKIM configuration each
- Shared mailboxes use the primary domain's DKIM key

Generate records: https://intodns.ai/tools/spf-generator

How to set up SPF, DKIM, and DMARC for Microsoft 365?

Detailed Answer

Check your domain now

Related Questions

What is SPF, DKIM, and DMARC?

How to setup an SPF record?

How to setup DMARC?