Setting Up Email Authentication for Microsoft 365

Complete guide to configuring SPF, DKIM, and DMARC for Microsoft 365/Office 365. Includes step-by-step instructions for Exchange Online.

Setting Up Email Authentication for Microsoft 365

Microsoft 365 (formerly Office 365) requires proper email authentication configuration for optimal deliverability. This guide covers SPF, DKIM, and DMARC setup specifically for Microsoft 365.

Overview

Microsoft 365 automatically configures some authentication, but you need to:

  1. Verify SPF - Microsoft adds itself automatically, but you may need to add other services
  2. Enable DKIM - Must be manually enabled in Exchange Admin Center
  3. Configure DMARC - You publish this yourself in DNS

Prerequisites

  • Microsoft 365 admin access
  • Access to your domain's DNS settings
  • Domain added to Microsoft 365

Step 1: Configure SPF for Microsoft 365

Microsoft's Default SPF

Microsoft automatically adds itself to your SPF when you add a domain, but you need to verify and potentially add other services.

Check Current SPF Record

  1. Go to Microsoft 365 Admin Center
  2. Navigate to SettingsDomains
  3. Select your domain
  4. View DNS records → Find SPF record

Or check DNS directly:

dig TXT yourdomain.com

Standard Microsoft 365 SPF Record

v=spf1 include:spf.protection.outlook.com -all

Adding Additional Services

If you use other email services alongside Microsoft 365:

v=spf1 include:spf.protection.outlook.com include:sendgrid.net include:servers.mcsv.net -all

Important: Microsoft 365's SPF includes multiple IP ranges. Don't try to flatten it manually.

Common Microsoft 365 SPF Includes

ServiceInclude Statement
Microsoft 365 (default)include:spf.protection.outlook.com
Exchange Online ProtectionAlready included in above
Microsoft TeamsAlready included
Dynamics 365include:spf.dynamics.com

DNS Configuration

Add or update TXT record:

FieldValue
TypeTXT
Host/Name@ or leave blank
Valuev=spf1 include:spf.protection.outlook.com -all
TTL3600

Step 2: Enable DKIM for Microsoft 365

Microsoft 365 uses CNAME records for DKIM, not TXT records like other providers.

Enable DKIM in Exchange Admin Center

  1. Go to Microsoft 365 Defender Portal

  2. Select your domain

  3. Enable DKIM signing

  4. Microsoft generates two selectors:

    • selector1._domainkey.yourdomain.com
    • selector2._domainkey.yourdomain.com

Add CNAME Records to DNS

Microsoft provides CNAME records like:

selector1._domainkey  CNAME  selector1-yourdomain-com._domainkey.onmicrosoft.com
selector2._domainkey  CNAME  selector2-yourdomain-com._domainkey.onmicrosoft.com

DNS Configuration:

FieldValue
TypeCNAME
Host/Nameselector1._domainkey
Valueselector1-yourdomain-com._domainkey.onmicrosoft.com
TTL3600

Repeat for selector2._domainkey.

Verify DKIM Setup

Method 1: Microsoft Admin Center

  • Go back to DKIM settings
  • Status should show "Enabled" with green checkmark

Method 2: Send Test Email

  1. Send email from Microsoft 365 account
  2. Check email headers
  3. Look for DKIM-Signature header
  4. Verify d= matches your domain

Method 3: Online Tools

  • Use MailSentinel to check DKIM records
  • Use MXToolbox DKIM checker

DKIM Key Rotation

Microsoft automatically rotates DKIM keys:

  • Keys rotate every few months
  • CNAME records stay the same
  • No manual intervention needed

Step 3: Configure DMARC for Microsoft 365

Microsoft doesn't configure DMARC automatically - you must do this yourself.

Get Your MailSentinel Report Address

  1. Log in to MailSentinel
  2. Go to SettingsDMARC Configuration
  3. Copy your report address: your-org-id@reports.mailsentinel.io

Create DMARC Record

Starting with monitoring (recommended):

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io; ruf=mailto:your-org-id@forensic.mailsentinel.io

After monitoring period:

v=DMARC1; p=quarantine; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Full enforcement:

v=DMARC1; p=reject; rua=mailto:your-org-id@reports.mailsentinel.io; ruf=mailto:your-org-id@forensic.mailsentinel.io; adkim=r; aspf=r

Add DMARC Record to DNS

FieldValue
TypeTXT
Host/Name_dmarc
ValueYour DMARC record
TTL3600

Verify DMARC Setup

  1. Use MailSentinel to check DNS
  2. Verify DMARC record is detected
  3. Wait 24-48 hours for first reports
  4. Monitor in MailSentinel dashboard

Microsoft 365 Specific Considerations

Shared Mailboxes

  • Shared mailboxes use the same authentication
  • No special configuration needed
  • DMARC applies to all mailboxes

Distribution Lists

  • Distribution lists don't send email directly
  • Replies use the sender's authentication
  • No special SPF/DKIM needed

External Forwarding

If you forward emails externally:

  1. Enable ARC (Authenticated Received Chain)

    • Helps preserve authentication through forwarding
    • Configure in Exchange Admin Center

  2. Update SPF if forwarding to external addresses

    • May need to include forwarding server IPs

Hybrid Deployments

If using hybrid Exchange (on-premises + cloud):

  1. On-premises servers need their own SPF entries
  2. Add on-premises IPs to SPF: 
    v=spf1 include:spf.protection.outlook.com ip4:your-onprem-ip -all
  3. Configure DKIM on on-premises if sending directly
  4. Ensure DMARC covers both environments

Microsoft Teams

Microsoft Teams emails:

  • Use Microsoft 365 authentication
  • Covered by your SPF/DKIM/DMARC
  • No additional configuration needed

Troubleshooting Microsoft 365 Issues

Issue 1: SPF Too Permissive

Problem: Using +all or ?all instead of -all

Solution:

  1. Edit DNS TXT record
  2. Change to -all
  3. Verify in Microsoft Admin Center

Issue 2: DKIM Not Signing

Symptoms:

  • No DKIM signature in headers
  • DKIM status shows "Not enabled"

Solutions:

  1. Verify DKIM is enabled in Security Center
  2. Check CNAME records are published correctly
  3. Wait 15-60 minutes for DNS propagation
  4. Verify domain is fully configured in Microsoft 365

Issue 3: DMARC Failures

Symptoms:

  • DMARC reports show failures
  • Emails going to spam

Common Causes:

  1. SPF alignment issues

    • Envelope sender doesn't match From: domain
    • Check Return-Path header

  2. DKIM alignment issues

    • DKIM signing domain doesn't match From: domain
    • Microsoft signs with your domain, so this is usually fine

  3. Third-party senders

    • Services sending as your domain not in SPF
    • Add missing services to SPF

Issue 4: Multiple SPF Records

Problem: Multiple SPF TXT records exist

Solution:

  1. Find all SPF records: 
    dig TXT yourdomain.com | grep "v=spf1"
  2. Merge into single record
  3. Remove duplicates

Issue 5: DKIM CNAME Not Working

Symptoms:

  • CNAME records not resolving
  • DKIM validation fails

Solutions:

  1. Verify CNAME syntax is correct
  2. Check for typos in hostname
  3. Ensure no conflicting TXT records
  4. Wait for DNS propagation

Microsoft 365 Bulk Sender Requirements (2025)

Starting May 2025, Microsoft enforces requirements for bulk senders:

Requirements

  1. SPF and DKIM - Both required
  2. DMARC Policy - Must publish DMARC (minimum p=none)
  3. DMARC Alignment - From: domain must align with SPF or DKIM
  4. One-Click Unsubscribe - Required for marketing emails
  5. Spam Rate - Keep below 0.3%

Compliance Checklist

  • SPF record includes spf.protection.outlook.com
  • DKIM enabled and CNAME records published
  • DMARC record published (start with p=none)
  • DMARC reports being received
  • SPF alignment verified
  • DKIM alignment verified
  • List-Unsubscribe headers configured
  • Spam complaint rate monitored

Best Practices for Microsoft 365

1. Start with Monitoring

Begin with p=none DMARC policy:

  • Monitor for 2-4 weeks
  • Identify all sending sources
  • Fix alignment issues
  • Then move to enforcement

2. Use MailSentinel for Monitoring

  • Set up DMARC reporting to MailSentinel
  • Monitor SPF/DKIM pass rates
  • Get alerts for authentication failures
  • Track progress toward enforcement

3. Regular Audits

Review quarterly:

  • SPF record for unused services
  • DKIM signing status
  • DMARC report data
  • Alignment issues

4. Document Configuration

Keep records of:

  • SPF includes and why
  • DKIM selector status
  • DMARC policy progression
  • Any custom configurations

5. Test Before Changes

  • Use test subdomain first
  • Send test emails
  • Verify headers
  • Check DMARC reports
  • Then apply to production

Common Microsoft 365 Configurations

Small Business (Microsoft 365 Only)

SPF:

v=spf1 include:spf.protection.outlook.com -all

DKIM: Enable in Security Center

DMARC:

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io

Enterprise (Microsoft 365 + Marketing Platform)

SPF:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all

DKIM: Enable Microsoft 365 DKIM + configure marketing platform DKIM

DMARC:

v=DMARC1; p=quarantine; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Hybrid (On-Premises + Microsoft 365)

SPF:

v=spf1 include:spf.protection.outlook.com ip4:203.0.113.0/24 -all

DKIM: Enable for Microsoft 365, configure separately for on-premises

DMARC: Same as above, covers both environments

Next Steps

After configuring Microsoft 365 authentication:

  1. Monitor DMARC Reports - Track authentication status
  2. Set Up Alerts - Get notified of issues
  3. Review SPF Validation - Check lookup count
  4. Progressive DMARC Enforcement - Move toward p=reject

Additional Resources