← Blog
Microsoft 365 DMARC Setup: Email Authentication in 4 Steps

By DMARCdrift Team

Microsoft 365 DMARC Setup: Email Authentication in 4 Steps

4 min readdmarcdkimspfemail-authenticationsetup-guideemail-deliverability

To set up DMARC for Microsoft 365, enable DKIM in the M365 admin center, add two CNAME records to your DNS, then publish SPF and DMARC TXT records at your domain root. The full process takes about 15 minutes plus DNS propagation time. (If you're standing up a brand-new domain, our email setup guide for a new SaaS covers the full picture.) Here are the four steps.

Step 1: Enable and copy DKIM records from Microsoft 365

Log into the Microsoft 365 admin center and navigate to Policies & rules under Email & collaboration. In Threat policies, select DKIM.

Find your custom domain in the list. If you just added it, DKIM will be disabled. Click on the domain name to expand it.

Microsoft 365 gives you two CNAME records to add to your DNS. They look like this:

selector1._domainkey.yourdomain.com CNAME selector1-yourdomain-com._domainkey.protection.outlook.com
selector2._domainkey.yourdomain.com CNAME selector2-yourdomain-com._domainkey.protection.outlook.com

The exact target values depend on your domain. Copy both CNAMEs exactly as shown; Microsoft generates them for your domain specifically.

Step 2: Add the CNAME records to your DNS

Log into your DNS provider (Cloudflare, Route53, GoDaddy, Namecheap, etc.) and add both CNAME records. Use the exact names and targets from the Microsoft 365 DKIM panel.

Wait for DNS propagation, usually a few minutes but up to 24 hours. You can verify with the Email Auth Checker by entering your domain and checking the DKIM status.

Step 3: Enable DKIM signing in Microsoft 365

Once both CNAMEs are live in DNS, go back to the DKIM settings in Microsoft 365 and toggle Sign messages for this domain to Enabled. Microsoft will verify the DNS records and turn on DKIM signing for all outbound mail from your domain.

This usually takes a few minutes to activate.

Step 4: Add SPF and DMARC records

SPF

Add this SPF record to your DNS:

v=spf1 include:spf.protection.outlook.com ~all

Do not include outlook.com; that's outdated. Use spf.protection.outlook.com, which is the current M365 sending infrastructure.

If you're already sending from other services (Resend, SendGrid, etc.), add them to the same record:

v=spf1 include:spf.protection.outlook.com include:resend.com ~all

DMARC

Add your DMARC record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:d-{domain_id}@in.dmarcdrift.com

Replace {domain_id} with the unique ID from your DMARCdrift account. Start with p=none to monitor without rejecting mail. You can move to p=quarantine or p=reject once you're confident all legitimate mail passes authentication.

Multiple domains in Microsoft 365

If you manage multiple custom domains in a single M365 tenant, repeat this process for each domain. Each domain gets its own DKIM selectors and DNS records. The same four steps apply if you're on Google Workspace instead; see our Google Workspace DMARC setup guide for that provider's specifics.

Custom domain vs onmicrosoft.com

This guide applies only to custom domains you've added to Microsoft 365. The default contoso.onmicrosoft.com domain doesn't need DMARC setup; only custom domains do.

Verify with a test email

Send a test email from your M365 domain to a Gmail or Yahoo address you control. In Gmail, open the message and choose More → Show original. Look for the Authentication-Results header:

Authentication-Results: mx.google.com;
       dkim=pass header.d=yourdomain.com header.s=selector1;
       spf=pass smtp.mailfrom=yourdomain.com;
       dmarc=pass (p=NONE) header.from=yourdomain.com

If you see dkim=fail, the CNAME records haven't propagated yet or DKIM signing wasn't toggled on. Go back to the DKIM panel in Defender and confirm the domain shows Enabled. If checks keep failing after that, work through why your DMARC is failing to isolate the cause.

If you see spf=fail, check your SPF record is at the root domain (yourdomain.com, not a subdomain) and includes spf.protection.outlook.com.

Use the Email Auth Checker for a quick automated check without sending a test email.

Verify everything works

Use the DMARC Record Checker to confirm your DMARC is live and correctly formatted. Check the Email Auth Checker to verify DKIM, SPF, and DMARC alignment on your domain.

M365 also shows DMARC status in its own Defender portal, but that doesn't affect reports sent to your external rua= address; DMARCdrift will still receive them.


Once your DMARC record is live, aggregate reports will start arriving within 24–48 hours. DMARCdrift turns the XML into a readable digest, free for one domain.

Get started free →