Email Authentication Setup for Microsoft 365

Last updated: February 12, 2026

SPF, DMARC, and DKIM Configuration Guide

Overview

Email authentication helps protect your domain from spoofing, phishing, and spam. Three key protocols work together to verify that emails claiming to be from your domain are legitimate:

  • SPF (Sender Policy Framework)

  • DKIM (DomainKeys Identified Mail)

  • DMARC (Domain-based Message Authentication, Reporting, and Conformance)

Setting up all three protocols is essential for optimal email deliverability and security with Microsoft 365.

SPF (Sender Policy Framework)

What It Does

SPF allows you to specify which mail servers are authorized to send email on behalf of your domain. Recipients can check the SPF record to verify that incoming mail comes from an authorized server.

Purpose

  • Prevents spammers from sending messages with forged "From" addresses from your domain

  • Improves email deliverability by reducing the likelihood your emails are marked as spam

  • Protects your domain reputation

  • Required for passing Microsoft 365 anti-spoofing checks

High-Level Setup Steps

  1. Access your domain's DNS settings through your domain registrar or DNS provider

  2. Create or update a TXT record for your domain with Microsoft's SPF information

  3. Add the SPF record: v=spf1 include:spf.protection.outlook.com -all

  4. If you use additional email services or third-party senders, include them in the same SPF record

  5. Verify the SPF record is published correctly

  6. Ensure you have only one SPF record (multiple SPF records cause validation failures)

Official Documentation

DKIM (DomainKeys Identified Mail)

What It Does

DKIM adds a digital signature to every outgoing message. This signature is verified against a public key published in your DNS records, confirming the message hasn't been altered in transit and was authorized by your domain.

Purpose

  • Verifies that email content hasn't been tampered with during transmission

  • Confirms the email was authorized by the domain owner

  • Improves email deliverability and reduces false positives in spam filters

  • Works in conjunction with SPF and DMARC for comprehensive email authentication

  • Required for optimal Microsoft 365 security posture

High-Level Setup Steps

  1. Sign in to the Microsoft 365 Defender portal or Exchange admin center

  2. Enable DKIM signing for your domain (Microsoft generates the DKIM keys automatically)

  3. Microsoft will provide two CNAME records that need to be added to your DNS

  4. Add both CNAME records to your domain's DNS settings:

    • selector1._domainkey.yourdomain.com

    • selector2._domainkey.yourdomain.com

  5. Wait for DNS propagation (can take up to 48 hours)

  6. Enable DKIM signing in the Microsoft 365 admin center

  7. Verify DKIM is working by sending a test email and checking headers

Official Documentation

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

What It Does

DMARC builds on SPF and DKIM by telling receiving mail servers what to do if an email fails SPF or DKIM checks. It also provides reporting so you can monitor authentication results and detect potential abuse.

Purpose

  • Defines how receivers should handle emails that fail SPF or DKIM validation

  • Provides visibility into all email sources sending from your domain

  • Prevents phishing attacks and business email compromise (BEC) that spoof your domain

  • Generates aggregate and forensic reports showing authentication results

  • Required for compliance with many security frameworks and industry standards

  • Helps achieve better inbox placement rates

High-Level Setup Steps

  1. Ensure SPF and DKIM are already set up and working properly

  2. Decide on your DMARC policy (start with monitoring mode: p=none)

  3. Set up an email address to receive DMARC reports

  4. Create a TXT record in your DNS at _dmarc.yourdomain.com

  5. Example starter record: v=DMARC1; p=none; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

  6. Monitor DMARC aggregate reports to identify all legitimate email sources

  7. Ensure all legitimate sources pass SPF and/or DKIM

  8. Gradually increase policy enforcement:

    • Start: p=none (monitoring)

    • Then: p=quarantine (suspicious email to junk)

    • Finally: p=reject (block failed authentication)

Official Documentation

Implementation Best Practices

Recommended Order

  1. Start with SPF - Foundation of email authentication, quick to implement

  2. Enable DKIM - Adds cryptographic verification and message integrity

  3. Implement DMARC - Provides policy enforcement and visibility into email ecosystem

DMARC Policy Progression Timeline

  • Weeks 1-4: p=none (monitoring only - collect data, no enforcement)

  • Weeks 5-8: p=quarantine; pct=10 (gradually quarantine a percentage of failures)

  • Weeks 9-12: p=quarantine; pct=100 (quarantine all failures)

  • Week 13+: p=reject; pct=100 (reject all authentication failures)

Microsoft 365 Specific Considerations

  • Microsoft 365 automatically includes some DKIM signing for *.onmicrosoft.com domains

  • Custom domains require manual DKIM configuration

  • Microsoft uses two DKIM selectors (selector1 and selector2) for key rotation

  • SPF record must include include:spf.protection.outlook.com

  • Consider using _all parameter for strictness in SPF records

  • Microsoft 365 supports both aggregate (rua) and forensic (ruf) DMARC reports

Important Notes

  • DNS changes can take up to 48 hours to propagate fully

  • Test email authentication after DNS changes using message header analysis

  • Monitor DMARC reports regularly, especially during initial rollout

  • Keep only one SPF record per domain (combine all includes in one record)

  • SPF has a 10 DNS lookup limit - optimize your record if you have many includes

  • DKIM keys in Microsoft 365 are automatically rotated but should be monitored

Additional Resources

Microsoft 365 Email Security Documentation

Microsoft 365 Admin Centers

Testing Tools

Quick Reference

Protocol

DNS Record Type

Example Record

Priority

Purpose

SPF

TXT

v=spf1 include:spf.protection.outlook.com -all

High

Authorizes mail servers

DKIM

CNAME (2 records)

Points to Microsoft's DKIM infrastructure

High

Signs message content

DMARC

TXT

v=DMARC1; p=none; rua=mailto:[email protected]

Critical

Sets policy and reporting

Troubleshooting Common Issues

SPF Issues

  • Multiple SPF records: Ensure only one TXT record starts with v=spf1

  • Too many DNS lookups: Reduce the number of include: statements or flatten your SPF record

  • Missing Microsoft include: Always include include:spf.protection.outlook.com

DKIM Issues

  • CNAME not found: Wait for DNS propagation or check CNAME records are correct

  • Cannot enable DKIM signing: Verify both CNAME records are published in DNS

  • Selector issues: Microsoft uses selector1 and selector2 - both must be configured

DMARC Issues

  • No reports received: Verify email address in rua tag is correct and receiving mail

  • High failure rate: Review DMARC reports to identify unauthorized senders or misconfigured sources

  • Alignment failures: Ensure SPF and DKIM domains align with the "From" domain

All three protocols (SPF, DKIM, and DMARC) must be implemented for complete email authentication and optimal security in Microsoft 365.