Microsoft 365 Setup
Microsoft 365 requires building or updating your SPF record and enabling DKIM inside the Microsoft Defender portal.
Setup SPF
The SPF directive for Microsoft 365 is
include:spf.protection.outlook.com. A policy containing the Microsoft 365 SPF directive would look like:v=spf1 include:spf.protection.outlook.com ~all
To verify if you have an existing SPF record, you can use the Domain Check tool:
If you do not have an existing SPF record, you need to create a new TXT record with your DNS provider. You should try to include all your email senders at once into your initial SPF policy.
- Record Type
- TXT
- Host/Name
- @ (or blank)
- Value
v=spf1 include:spf.protection.outlook.com ~all
- TTL
- 3600 seconds (1 hour)
Setup DKIM
First, log in to enable DKIM keys inside your Microsoft 365 Defender Admin:
- Go directly to the Microsoft 365 Defender Portal (DKIM).
- Select your custom domain and toggle on Enable.
- Microsoft will provide two unique CNAME records (with selectors
selector1andselector2) to add to your DNS provider:
- Record Type
- CNAME
- Host/Name (Record 1)
- selector1._domainkey
- Value (Record 1)
selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
- Record Type
- CNAME
- Host/Name (Record 2)
- selector2._domainkey
- Value (Record 2)
selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com- TTL
- 3600 seconds (1 hour)
Setup DMARC
Lastly we can setup DMARC. Again, verify you don't already have DMARC setup.
With basic monitoring, you will receive XML reports to the email address specified which will tell you how email is passing/failing authentication. These are very useful for debugging when email isn't being delivered.
- Record Type
- TXT
- Host/Name
- _dmarc.yourdomain.com
- Value
v=DMARC1; p=none; rua=mailto:you@yourdomain.com
- TTL
- 3600 seconds (1 hour)
Once setup, you can verify your records are configured correctly using our domain check tool:
Verify DNS records