Skip to main content
Aarunya AppsAarunya Apps

Microsoft 365SPF, DKIM & DMARC Setup

Microsoft 365 (Exchange Online) uses a per-tenant MX host and two rotating DKIM selectors. All three records are published in your public DNS, not in Microsoft's portal.

Already set up? Check what your domain publishes right now — SPF, DKIM (selector1, selector2), DMARC, MX, BIMI, and MTA-STS in one scan.

Run a free domain check →

1. SPF record

Publish as a TXT record on your root domain. Microsoft recommends the strict -all qualifier. Add other sending services' includes to this ONE record if needed.

TXT record

v=spf1 include:spf.protection.outlook.com -all

2. DKIM (selectors: selector1, selector2)

Create two CNAMEs: selector1._domainkey → selector1-<domainGUID>._domainkey.<tenant>.onmicrosoft.com and the same for selector2 (exact targets shown in the Defender portal under Email authentication settings → DKIM). Then enable signing for the domain in that same screen.

3. MX records

HostPriority
<your-domain-key>.mail.protection.outlook.com0

The exact host is domain-specific (e.g. contoso-com.mail.protection.outlook.com) — copy it from Microsoft 365 admin center → Settings → Domains → your domain → DNS records.

Verify with the MX Record Lookup tool.

4. DMARC record

Start at p=none with rua reporting. Microsoft honours DMARC on inbound and applies it to outbound alignment; move to quarantine/reject after 2–4 weeks of clean reports.

TXT record at _dmarc.yourdomain.com

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Microsoft 365 authentication FAQ

My DKIM enable button is greyed out — why?

The two selector CNAME records must exist and propagate first. Microsoft validates selector1 and selector2 CNAMEs before it lets you enable signing. Check them with a DNS lookup, wait for TTL, then retry.

Why two DKIM selectors?

Microsoft rotates signing keys between selector1 and selector2 automatically. Both CNAMEs must stay in DNS permanently so rotation never breaks signing.

Does onmicrosoft.com need any of this?

Your fallback *.onmicrosoft.com domain is signed by Microsoft automatically. Custom domains are the ones that need SPF, the DKIM CNAMEs, and DMARC.

Official documentation: Microsoft 365 email authentication docs ↗

Verify your setup

Setup guides for other providers

Powered by Aarunya Apps