DMARC for Microsoft 365

Complete setup guide for implementing email authentication with Microsoft 365.

15 min readLast updated: November 2025Platform Specific

What you'll accomplish

  • • Set up SPF for Microsoft 365
  • • Enable DKIM signing for your domains
  • • Create and publish your DMARC policy
  • • Configure DMARC reporting
  • • Test your complete setup

Prerequisites

  • Microsoft 365 Admin Access

    Global administrator or Exchange administrator role

  • DNS Management Access

    Ability to add TXT and CNAME records to your domain's DNS

  • Verified Domain

    Your domain must be added and verified in Microsoft 365

Step 1: Set Up SPF for Microsoft 365

SPF authorizes Microsoft's mail servers to send email on behalf of your domain.

Add SPF Record to DNS

Add this TXT record to your domain's DNS at the root level:

Type: TXT

Name: @ (or your domain)

Value:

v=spf1 include:spf.protection.outlook.com -all

If you already have an SPF record:

Don't create a second SPF record! Instead, add include:spf.protection.outlook.com to your existing SPF record, before the final -all or ~all.

Important: Microsoft 365 requires -all (hard fail) for proper DMARC compliance. Using ~all may cause delivery issues.

Step 2: Enable DKIM Signing

DKIM adds cryptographic signatures to your emails. Microsoft 365 makes this easy with automatic key management.

Enable DKIM in Microsoft 365 Admin Center

  1. 1

    Access Security Admin Center

    Go to security.microsoft.com

  2. 2

    Navigate to DKIM Settings

    Go to Email & Collaboration → Policies & Rules → Threat policies → DKIM

  3. 3

    View DKIM Records

    Select your domain from the list to see the required CNAME records

  4. 4

    Copy DKIM CNAME Records

    Microsoft will show you two CNAME records that need to be added to DNS

Add DKIM CNAME Records to DNS

Add both CNAME records to your DNS (values will be specific to your domain):

Record 1:

Type: CNAME

Name: selector1._domainkey

Value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Record 2:

Type: CNAME

Name: selector2._domainkey

Value: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Enable DKIM Signing

  1. 5

    Wait 24-48 hours for DNS propagation

  2. 6

    Return to the DKIM page in Microsoft 365 Security Center

  3. 7

    Toggle the switch to "Enable" for your domain

Step 3: Create DMARC Policy

With SPF and DKIM configured, you can now implement DMARC to control how receiving servers handle emails that fail authentication.

Recommended DMARC Record (Monitor Mode)

Start with monitoring mode to collect data:

Type: TXT

Name: _dmarc

Value:

v=DMARC1; p=none; rua=mailto:[email protected]; pct=100

Important: Replace [email protected] with a real email address where you want to receive reports. Create a dedicated mailbox or shared mailbox in Microsoft 365.

DMARC Policy Progression

Gradually strengthen your policy over time:

Phase 1: Monitor (Weeks 1-4)

p=none

Collect data on all email sources. Review DMARC reports weekly and address any legitimate sources that fail.

Phase 2: Quarantine (Weeks 5-8)

p=quarantine

Failed emails go to junk folder. Monitor for legitimate mail being quarantined.

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

Phase 3: Reject (Week 9+)

p=reject

Failed emails are rejected. Maximum protection against domain spoofing.

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

Step 4: Testing Your Setup

After DNS records are published (wait 24-48 hours), test your configuration:

  1. Use Our Checker

    Verify your setup with our free DMARC checker

  2. Send Test Emails

    Send emails to Gmail, Outlook, and other major providers

  3. Check Message Headers

    Look for "dmarc=pass" in the Authentication-Results header

  4. Wait for Reports

    DMARC reports typically arrive within 24-48 hours of first emails

Common Issues & Solutions

DKIM Not Enabling

Problem: Can't enable DKIM signing in Microsoft 365 admin center

Solution: Verify both CNAME records are published correctly. Use nslookup or a DNS checker to confirm. Wait 24-48 hours after adding records before trying to enable.

Emails from Shared Mailboxes Failing

Problem: Emails sent from shared mailboxes or distribution lists fail DMARC

Solution: Ensure "Send As" or "Send on Behalf" permissions are properly configured. Microsoft 365 should automatically sign these with DKIM.

Third-Party Applications Failing

Problem: CRM, ticketing systems, or other apps can't send email

Solution: Configure these apps to send via Microsoft 365 SMTP relay, or add their IPs to SPF and enable their DKIM signing. See troubleshooting guide for details.

Too Many DNS Lookups

Problem: SPF record exceeds 10 DNS lookups when including multiple services

Solution: Use our SPF Generator to optimize your record. Consider replacing includes with direct IP addresses where possible.

Microsoft 365-Specific Tips

  • Enhanced Filtering: If you use a third-party spam filter or email gateway in front of M365, enable Enhanced Filtering to ensure proper DMARC evaluation.
  • Key Rotation: Microsoft automatically rotates DKIM keys. No manual key management needed.
  • Multiple Domains: Repeat the DKIM setup process for each custom domain in your tenant.
  • Defender Integration: DMARC works alongside Microsoft Defender for Office 365 for enhanced protection.

Ready to Verify Your Setup?

Use our free tools to check your configuration and generate proper DNS records.

Check Your DomainDMARC Generator

Related Resources

General DMARC Setup GuideUnderstanding DMARC ReportsSPF Record GeneratorDMARC for Google Workspace

Ready to check your DMARC records?

Test your email security in 30 seconds with our free tool.

Check Your Domain Now