Microsoft 365 Setup
Setup SPF
The SPF directive for Microsoft 365 is You either need to add it to your existing SPF record, or create a new SPF record.
include:spf.protection.outlook.com. A policy containing the Microsoft 365 SPF directive would look like:v=spf1 include:spf.protection.outlook.com ~all
Checking for an existing SPF record
To verify if you have an existing SPF record, you can use the Domain Check tool:Verify DNS records
Updating an existing SPF record
If you already have an existing SPF record, just include the
include:spf.protection.outlook.com to your existing record. Instructions for updating DNS records can be found on the DNS Providers doc.Creating a SPF record
If you do not have an existing SPF record, you need to create a new one with your DNS provider. Individual instructions can be found on the DNS Providerspage. You should try to include all your email senders at once into your initial SPF policy.
- Record Type
- TXT
- Host/Name
- yourdomain.com
- Value
v=spf1 include:spf.protection.outlook.com ~all
- TTL
- 3600 seconds (1 hour)
Setup DKIM
Setting up DKIM for Microsoft 365 involves enabling it in the Microsoft Defender portal and adding two CNAME records to your DNS. Unlike some other providers, Microsoft 365 uses unique CNAME values for each domain, which you must retrieve from their portal.
Retrieving DKIM CNAME Records
You need to find the specific CNAME records for your domain in the Microsoft 365 Defender portal.
- Go to the Microsoft 365 Defender Portal (DKIM).
- Select your domain from the list.
- Toggle "Enable" to start the process if it's not already enabled.
- A pop-up or section will display the required CNAME records. You will see two records with selectors
selector1andselector2.
Creating the DKIM Records
Install the two CNAME records with your DNS provider.
- Record Type
- CNAME
- Host/Name (Record 1)
- selector1._domainkey
- Value (Record 1)
- (Retrieve from Microsoft Defender Portal)
Example:selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com - Host/Name (Record 2)
- selector2._domainkey
- Value (Record 2)
- (Retrieve from Microsoft Defender Portal)
Example:selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com - TTL
- 3600 seconds (1 hour)
Verification
Once setup, you can verify your SPF/DKIM records are setup with the domain check tool.
Verify DNS records
Verify DNS records