Microsoft 365SPF, DKIM & DMARC Setup
Microsoft 365 (Exchange Online) uses a per-tenant MX host and two rotating DKIM selectors. All three records are published in your public DNS, not in Microsoft's portal.
Already set up? Check what your domain publishes right now — SPF, DKIM (selector1, selector2), DMARC, MX, BIMI, and MTA-STS in one scan.
Run a free domain check →1. SPF record
Publish as a TXT record on your root domain. Microsoft recommends the strict -all qualifier. Add other sending services' includes to this ONE record if needed.
TXT record
v=spf1 include:spf.protection.outlook.com -all2. DKIM (selectors: selector1, selector2)
Create two CNAMEs: selector1._domainkey → selector1-<domainGUID>._domainkey.<tenant>.onmicrosoft.com and the same for selector2 (exact targets shown in the Defender portal under Email authentication settings → DKIM). Then enable signing for the domain in that same screen.
3. MX records
| Host | Priority |
|---|---|
| <your-domain-key>.mail.protection.outlook.com | 0 |
The exact host is domain-specific (e.g. contoso-com.mail.protection.outlook.com) — copy it from Microsoft 365 admin center → Settings → Domains → your domain → DNS records.
Verify with the MX Record Lookup tool.
4. DMARC record
Start at p=none with rua reporting. Microsoft honours DMARC on inbound and applies it to outbound alignment; move to quarantine/reject after 2–4 weeks of clean reports.
TXT record at _dmarc.yourdomain.com
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comMicrosoft 365 authentication FAQ
My DKIM enable button is greyed out — why?
The two selector CNAME records must exist and propagate first. Microsoft validates selector1 and selector2 CNAMEs before it lets you enable signing. Check them with a DNS lookup, wait for TTL, then retry.
Why two DKIM selectors?
Microsoft rotates signing keys between selector1 and selector2 automatically. Both CNAMEs must stay in DNS permanently so rotation never breaks signing.
Does onmicrosoft.com need any of this?
Your fallback *.onmicrosoft.com domain is signed by Microsoft automatically. Custom domains are the ones that need SPF, the DKIM CNAMEs, and DMARC.
Official documentation: Microsoft 365 email authentication docs ↗
Verify your setup
DNS Email Diagnostics
SPF, DKIM, DMARC, MX, BIMI & MTA-STS in one check
MX Record Lookup
See exactly which mail servers your domain publishes
BIMI Validator
Show your logo in Gmail & Yahoo once DMARC is enforced
Deliverability Monitoring
Daily checks + email alerts when a record changes or breaks