SPFWise
deliverability

SPF, DKIM and DMARC for Microsoft 365

Microsoft 365 sends your mail but does not authenticate your domain for you. Here are the exact SPF, DKIM and DMARC records to publish.

Jul 3, 20265 min read

Microsoft 365 sends your mail, but it does not authenticate your domain for you out of the box. To pass SPF, DKIM and DMARC on Microsoft 365 you need to publish a few DNS records yourself. Here is the full setup.

SPF for Microsoft 365

Publish one SPF TXT record on your domain authorizing Microsoft's servers:

v=spf1 include:spf.protection.outlook.com -all

If you send through other services too, add their includes before the -all, and watch the ten lookup limit.

DKIM for Microsoft 365

Microsoft 365 uses two selectors, selector1 and selector2, published as CNAME records that point back to your Microsoft tenant. Add both CNAMEs from the records Microsoft shows in the admin center, then enable DKIM signing for your domain. Publishing the CNAMEs alone does nothing until you switch signing on. See how to set up DKIM for the general idea.

DMARC for Microsoft 365

DMARC is the same regardless of provider. Publish a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Start at p=none, read the reports, then advance toward p=reject. See moving from p=none to reject safely.

Verify

Once SPF, both DKIM CNAMEs and DMARC are published and signing is enabled, scan your domain to confirm all three pass.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

How to Set Up SPF, DKIM and DMARC for Microsoft 365 | SPFWise