How to set up SPF, DKIM & DMARC for Microsoft 365

Microsoft 365 uses one fixed SPF include and a pair of CNAME records for DKIM. The CNAME targets are unique to your tenant, so they come from the Defender portal — but the hostnames are always the same.

SPF

One TXT record at the root authorizes Exchange Online. Microsoft's docs recommend -all (hardfail).

Type
TXT
Host / Name
@

@ means the root of the domain. If your provider rejects @, enter the bare domain or leave the Host field empty.

Value / Content
v=spf1 include:spf.protection.outlook.com -all

DKIM

Microsoft publishes your DKIM keys on their own DNS; you point two CNAMEs at them. The targets embed your tenant's onmicrosoft.com domain, so copy them from the portal.

Type
CNAME
Host / Name
selector1._domainkey
Value / Content
selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Example only — copy the exact target from the Defender portal's DKIM page for your domain.

Type
CNAME
Host / Name
selector2._domainkey
Value / Content
selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Example only — copy the exact target from the Defender portal's DKIM page for your domain.

  1. Open security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM.
  2. Select your domain — the two CNAME targets are shown there.
  3. Publish both CNAMEs, wait for DNS, then toggle Enable for the domain.

DMARC

DMARC is per-domain, not per-provider — one record at _dmarc.yourdomain.com covers Microsoft 365 and everything else that sends as you. Start in monitor-only mode:

Type
TXT
Host / Name
_dmarc

Some providers want the full _dmarc.yourdomain.com here.

Value / Content
v=DMARC1; p=none; rua=mailto:your-report-address

Example only — replace your-report-address — our DMARC generator builds the record, or sign up free and we generate it with a report address that feeds your monitoring dashboard.

Provider note: Once DKIM is enabled, Microsoft 365 signs with your domain and aligns. Until then, mail is signed with the shared onmicrosoft.com domain — authenticated, but not aligned to you.

Full walkthrough: how to set up DMARC without breaking your email, and why aligned authentication is what DMARC actually checks.

Verify it worked

After DNS propagates (minutes to an hour), send a message from Microsoft 365 to our inbox test — it shows the real SPF/DKIM/DMARC verdicts a receiver computes, including whether authentication aligned with your domain. Then HealthCheck Email keeps checking daily and alerts you when a record breaks.

Records current as of 2026-07-13. Provider dashboards change — the authoritative reference is Microsoft 365's official docs.