How to Set Up DMARC for Microsoft 365
Complete guide to SPF, DKIM, and DMARC for Microsoft 365. Step-by-step email authentication setup with Defender portal instructions.
What You’ll Need
Before starting, make sure you have:
- Global Administrator or Security Administrator access to your Microsoft 365 tenant
- Access to your domain’s DNS management console (GoDaddy, Cloudflare, Namecheap, etc.)
- A custom domain already added and verified in Microsoft 365
- About 30 minutes for initial setup, plus 24 to 48 hours for DNS propagation
Understanding the Three Protocols
Microsoft 365 email security relies on three protocols working together:
| Protocol | Purpose | Record Type |
|---|---|---|
| SPF | Authorizes which servers can send email for your domain | TXT |
| DKIM | Adds a digital signature to verify messages weren’t altered | CNAME (2 records) |
| DMARC | Tells receivers what to do when SPF or DKIM fails | TXT |
You must configure SPF and DKIM before DMARC will work properly.
Step 1: Configure SPF
SPF tells receiving mail servers which IP addresses and services are authorized to send email on behalf of your domain.
Check Your Current SPF Record
Before making changes, check if you already have an SPF record:
- Go to MXToolbox SPF Lookup
- Enter your domain name
- Review the results
Create or Update Your SPF Record
For Microsoft 365 only (no other email services):
v=spf1 include:spf.protection.outlook.com -allFor Microsoft 365 plus other services:
Add the appropriate includes for each service. Common examples:
| Service | SPF Include |
|---|---|
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailchimp | include:servers.mcsv.net |
| HubSpot | include:spf.hubspot.com |
| Salesforce | include:_spf.salesforce.com |
| Zendesk | include:mail.zendesk.com |
Example with multiple services:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net include:servers.mcsv.net -allAdd the SPF Record to DNS
- Log in to your DNS provider
- Navigate to DNS management for your domain
- Add a new TXT record:
| Field | Value |
|---|---|
| Type | TXT |
| Host/Name | @ (or leave blank, depending on provider) |
| Value | Your SPF record |
| TTL | 3600 (or 1 hour) |
Important: SPF Lookup Limit
SPF has a 10 DNS lookup limit. Each include: statement counts toward this limit. If you exceed 10 lookups, SPF will fail with a “permerror.”
To check your lookup count:
- Go to MXToolbox SPF Lookup
- Enter your domain
- Look for the DNS lookup count in the results
If you’re approaching the limit:
- Consider using SPF flattening tools
- Remove services you no longer use
- Use subdomains for marketing or bulk email services
Step 2: Configure DKIM
DKIM adds a cryptographic signature to your outgoing emails, allowing recipients to verify the message came from your domain and wasn’t modified in transit.
Access the Microsoft Defender Portal
- Go to the Microsoft Defender portal
- Sign in with your admin account
- Navigate to Email & collaboration > Policies & rules > Threat policies
- Under Rules, select Email authentication settings
- Click the DKIM tab
Generate DKIM Keys
- On the DKIM page, select your custom domain (click the domain name, not the checkbox)
- A details panel will open on the right
- If you see “No DKIM keys saved for this domain,” click Create DKIM keys
- Microsoft will generate two CNAME records
Copy the DKIM CNAME Records
After generating keys, you’ll see two CNAME records. They follow this format:
Record 1:
| Field | Value |
|---|---|
| Host/Name | selector1._domainkey |
| Points to | selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com |
Record 2:
| Field | Value |
|---|---|
| Host/Name | selector2._domainkey |
| Points to | selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com |
Replace yourdomain-com with your domain (using hyphens instead of dots) and yourtenant with your Microsoft 365 tenant name.
Example for contoso.com with tenant contoso.onmicrosoft.com:
| Host | Points to |
|---|---|
selector1._domainkey | selector1-contoso-com._domainkey.contoso.onmicrosoft.com |
selector2._domainkey | selector2-contoso-com._domainkey.contoso.onmicrosoft.com |
Add DKIM Records to DNS
- Log in to your DNS provider
- Add the first CNAME record:
| Field | Value |
|---|---|
| Type | CNAME |
| Host/Name | selector1._domainkey |
| Points to/Value | (Value from Microsoft Defender portal) |
| TTL | 3600 |
- Add the second CNAME record:
| Field | Value |
|---|---|
| Type | CNAME |
| Host/Name | selector2._domainkey |
| Points to/Value | (Value from Microsoft Defender portal) |
| TTL | 3600 |
Enable DKIM Signing
After DNS propagation (can take up to 48 hours, but often much faster):
- Return to the Microsoft Defender portal DKIM page
- Select your domain
- Toggle Sign messages for this domain with DKIM signatures to Enabled
- Click OK to confirm
If you see an error that CNAME records weren’t found, wait longer for DNS propagation and try again.
Verify DKIM Configuration
- Enter your domain
- For selector, enter
selector1 - Click DKIM Lookup
- Repeat with
selector2
Both selectors should return valid DKIM records.
Step 3: Configure DMARC
With SPF and DKIM in place, you can now configure DMARC to tell receiving servers what to do when authentication fails.
Understanding DMARC Policies
| Policy | What It Does | When to Use |
|---|---|---|
p=none | Monitor only, no action taken | Starting out, collecting data |
p=quarantine | Send failing messages to spam | After verifying legitimate mail passes |
p=reject | Block failing messages entirely | Full enforcement, maximum protection |
Start with Monitoring
Begin with a monitoring policy to identify any legitimate email sources that might fail authentication:
v=DMARC1; p=none; rua=mailto:[email protected]Breakdown:
v=DMARC1- Protocol version (required)p=none- Policy: monitor onlyrua=mailto:- Where to send aggregate reports
Add the DMARC Record to DNS
- Log in to your DNS provider
- Add a new TXT record:
| Field | Value |
|---|---|
| Type | TXT |
| Host/Name | _dmarc |
| Value | v=DMARC1; p=none; rua=mailto:[email protected] |
| TTL | 3600 |
Verify Your DMARC Record
- Enter your domain
- Verify the record appears correctly
Step 4: Monitor and Progress to Enforcement
Review DMARC Reports
After publishing your DMARC record with p=none, you’ll start receiving aggregate reports. These XML files contain:
- Which IP addresses are sending email as your domain
- Whether those messages pass or fail SPF and DKIM
- Volume of messages from each source
Raw DMARC reports are difficult to read. Consider using a DMARC monitoring service to parse and visualize the data.
Identify and Fix Issues
Common problems revealed by DMARC reports:
| Issue | Solution |
|---|---|
| Third-party service failing SPF | Add their include to your SPF record |
| Third-party service failing DKIM | Configure DKIM signing with that service |
| Unknown IP addresses sending as you | Investigate, may be spoofing or forgotten service |
| Forwarded emails failing | Normal behavior, DKIM helps with this |
Progress to Quarantine
Once your legitimate email sources consistently pass authentication (2 to 4 weeks of monitoring), move to quarantine:
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]The pct=25 means only 25% of failing messages are quarantined. Increase gradually:
pct=25for 1 weekpct=50for 1 weekpct=100for 1 to 2 weeks
Progress to Reject
After quarantine is stable, move to full enforcement:
v=DMARC1; p=reject; rua=mailto:[email protected]Use the same gradual approach with pct= if desired.
Special Scenarios
MOERA Domain (onmicrosoft.com)
If you use Microsoft’s default onmicrosoft.com domain:
- SPF and DKIM are already configured automatically
- You still need to add a DMARC record
Add DMARC via Microsoft 365 Admin Center:
- Go to Microsoft 365 Admin Center
- Navigate to Settings > Domains
- Select your onmicrosoft.com domain
- Go to the DNS records tab
- Click Add record
- Add a TXT record:
- TXT name:
_dmarc - TXT value:
v=DMARC1; p=reject
- TXT name:
Parked Domains
For domains you own but don’t use for email, protect them from being spoofed:
SPF Record:
v=spf1 -allDMARC Record:
v=DMARC1; p=rejectNo DKIM is needed for parked domains.
Subdomains
DMARC records automatically apply to subdomains. However:
- Each subdomain needs its own SPF record if it sends email
- Each subdomain needs its own DKIM configuration if it sends email
- You can override the parent domain’s DMARC policy by creating a DMARC record on the subdomain
Recommendation: Use subdomains for marketing or bulk email services to protect your main domain’s reputation.
Multiple Custom Domains
Repeat the SPF, DKIM, and DMARC configuration process for each custom domain in your Microsoft 365 tenant.
Troubleshooting
SPF Issues
| Problem | Cause | Solution |
|---|---|---|
| SPF PermError | Too many DNS lookups (over 10) | Remove unused includes, use SPF flattening |
| SPF SoftFail | Using ~all instead of -all | Change to -all for stricter enforcement |
| SPF Fail | Sending service not in SPF record | Add the service’s include statement |
DKIM Issues
| Problem | Cause | Solution |
|---|---|---|
| CNAME records not found | DNS not propagated | Wait up to 48 hours |
| DKIM signature invalid | Selector mismatch | Verify selector values match exactly |
| Can’t enable DKIM | CNAME records incorrect | Double-check for typos, extra spaces |
DMARC Issues
| Problem | Cause | Solution |
|---|---|---|
| Legitimate email going to spam | Policy too strict too fast | Lower pct value, use quarantine before reject |
| Not receiving reports | Invalid rua email address | Verify the email address exists and can receive |
| Forwarded email failing | SPF fails on forwarded mail | This is normal, DKIM alignment helps |
Verification Checklist
After completing setup, verify everything works:
- SPF: Check at MXToolbox SPF Lookup
- DKIM: Check both selectors at MXToolbox DKIM Lookup
- DMARC: Check at MXToolbox DMARC Lookup
- Send a test email: Send to a Gmail account and check “Show original” to see authentication results
- DMARC reports arriving: Confirm you’re receiving aggregate reports
Recommended Timeline
| Week | Action |
|---|---|
| Week 1 | Configure SPF and DKIM |
| Week 1 | Publish DMARC with p=none |
| Weeks 2 to 4 | Monitor reports, fix any issues |
| Week 5 | Move to p=quarantine; pct=25 |
| Week 6 | Increase to p=quarantine; pct=50 |
| Week 7 | Increase to p=quarantine; pct=100 |
| Week 8+ | Move to p=reject (gradually if desired) |
Quick Reference
Final DNS Records
SPF (TXT record at @):
v=spf1 include:spf.protection.outlook.com -allDKIM (CNAME records):
selector1._domainkey → selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
selector2._domainkey → selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.comDMARC (TXT record at _dmarc):
v=DMARC1; p=reject; rua=mailto:[email protected]Next Steps
Once you’ve reached p=reject:
- Keep monitoring - Review DMARC reports regularly for new issues
- Update when adding services - Any new email service needs SPF/DKIM configuration
- Consider BIMI - Brand Indicators for Message Identification displays your logo in supported email clients
- Rotate DKIM keys periodically - Microsoft 365 supports key rotation through the Defender portal
Ready to implement this?
Verkh helps you monitor DMARC, identify issues, and reach enforcement. Start free.
Start Free