Guide

How to set up DMARC for Microsoft 365

The exact SPF, DKIM and DMARC steps for a Microsoft 365 domain — including the two DKIM CNAMEs Microsoft uses.

Check your DMARC record

What it is

Microsoft 365 (Exchange Online) sends your mail through Microsoft's servers, so you need an SPF record that includes Microsoft, DKIM enabled in the Microsoft Defender portal, and a DMARC record.

Microsoft's DKIM is unusual: instead of one TXT key you publish two CNAME records (selector1 and selector2) that point back to Microsoft, then flip DKIM on in the portal.

Why it matters

By default Microsoft 365 signs mail with its shared onmicrosoft.com domain, which doesn't align with your domain — so DMARC can fail until you enable domain DKIM. Setting it up properly is what lets you reach enforcement.

Microsoft is aligning with Google and Yahoo on sender requirements, so authenticated mail is increasingly required to reach Outlook.com and Microsoft-hosted inboxes too.

How to set it up

  1. 1SPF: publish a TXT record at your root domain: v=spf1 include:spf.protection.outlook.com -all (merge into your existing SPF; never publish two).
  2. 2DKIM: publish the two CNAMEs — selector1._domainkey and selector2._domainkey — pointing to the targets shown in the Microsoft Defender portal (Email & collaboration → Policies → Email authentication → DKIM). Then select your domain and toggle 'Sign messages for this domain with DKIM signatures' to On.
  3. 3DMARC: publish a TXT record at _dmarc.yourdomain.com: v=DMARC1; p=none; rua=mailto:you@yourdomain.com.
  4. 4Wait for propagation, enable DKIM in the portal, confirm it passes, then raise DMARC to p=quarantine and p=reject once reports are clean.

Common problems

The DKIM toggle in Microsoft 365 is greyed out or errors.
That means the two CNAME records (selector1 and selector2) aren't published or haven't propagated yet. Publish both exactly as the portal shows, wait, then flip the toggle — Microsoft validates the CNAMEs before enabling.
My mail is signed by onmicrosoft.com, not my domain.
That's the default until you enable domain DKIM. Publish the two CNAMEs and turn DKIM on for your custom domain so signing aligns with your From address — otherwise DMARC can fail.
Should SPF end in -all for Microsoft 365?
Yes, once you've confirmed every sender is listed. Microsoft recommends -all (hardfail). Use ~all only briefly while you verify nothing legitimate is missing.

Check it — then keep it healthy

Run a free scan now, or let DomainHealthPro monitor it continuously and alert you the moment it breaks.

More guides