How to set up SPF, DKIM & DMARC for Microsoft 365
Microsoft 365 uses one fixed SPF include and a pair of CNAME records for DKIM. The CNAME targets are unique to your tenant, so they come from the Defender portal — but the hostnames are always the same.
SPF
One TXT record at the root authorizes Exchange Online. Microsoft's docs recommend -all (hardfail).
| Type | TXT |
| Host / Name | @@ means the root of the domain. If your provider rejects @, enter the bare domain or leave the Host field empty. |
| Value / Content | v=spf1 include:spf.protection.outlook.com -all |
DKIM
Microsoft publishes your DKIM keys on their own DNS; you point two CNAMEs at them. The targets embed your tenant's onmicrosoft.com domain, so copy them from the portal.
| Type | CNAME |
| Host / Name | selector1._domainkey |
| Value / Content | selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.comExample only — copy the exact target from the Defender portal's DKIM page for your domain. |
| Type | CNAME |
| Host / Name | selector2._domainkey |
| Value / Content | selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.comExample only — copy the exact target from the Defender portal's DKIM page for your domain. |
- Open security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM.
- Select your domain — the two CNAME targets are shown there.
- Publish both CNAMEs, wait for DNS, then toggle Enable for the domain.
DMARC
DMARC is per-domain, not per-provider — one record at _dmarc.yourdomain.com covers Microsoft 365 and everything else that sends as you. Start in monitor-only mode:
| Type | TXT |
| Host / Name | _dmarcSome providers want the full _dmarc.yourdomain.com here. |
| Value / Content | v=DMARC1; p=none; rua=mailto:your-report-addressExample only — replace your-report-address — our DMARC generator builds the record, or sign up free and we generate it with a report address that feeds your monitoring dashboard. |
Provider note: Once DKIM is enabled, Microsoft 365 signs with your domain and aligns. Until then, mail is signed with the shared onmicrosoft.com domain — authenticated, but not aligned to you.
Full walkthrough: how to set up DMARC without breaking your email, and why aligned authentication is what DMARC actually checks.
Verify it worked
After DNS propagates (minutes to an hour), send a message from Microsoft 365 to our inbox test — it shows the real SPF/DKIM/DMARC verdicts a receiver computes, including whether authentication aligned with your domain. Then HealthCheck Email keeps checking daily and alerts you when a record breaks.
Records current as of 2026-07-13. Provider dashboards change — the authoritative reference is Microsoft 365's official docs.