Microsoft 365 sends your mail, but it does not authenticate your domain for you out of the box. To pass SPF, DKIM and DMARC on Microsoft 365 you need to publish a few DNS records yourself. Here is the full setup.
SPF for Microsoft 365
Publish one SPF TXT record on your domain authorizing Microsoft's servers:
v=spf1 include:spf.protection.outlook.com -all
If you send through other services too, add their includes before the -all, and watch the ten lookup limit.
DKIM for Microsoft 365
Microsoft 365 uses two selectors, selector1 and selector2, published as CNAME records that point back to your Microsoft tenant. Add both CNAMEs from the records Microsoft shows in the admin center, then enable DKIM signing for your domain. Publishing the CNAMEs alone does nothing until you switch signing on. See how to set up DKIM for the general idea.
DMARC for Microsoft 365
DMARC is the same regardless of provider. Publish a TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Start at p=none, read the reports, then advance toward p=reject. See moving from p=none to reject safely.
Verify
Once SPF, both DKIM CNAMEs and DMARC are published and signing is enabled, scan your domain to confirm all three pass.
Reads public DNS only. Nothing is stored unless you save the domain to an account.