O365 Admin

How to Set Up DMARC, DKIM and SPF for Microsoft 365

Published 26 December 2025 · 9 min read

SPF, DKIM, and DMARC are DNS records that prove your emails are legitimate and prevent attackers from spoofing your domain. Without them, anyone can send email pretending to be from your domain. This guide covers setting all three up for Microsoft 365 in the correct order.

Contents
  1. How SPF, DKIM, and DMARC work
  2. Set up SPF
  3. Set up DKIM
  4. Set up DMARC
  5. Verify your setup
  6. Moving DMARC to enforcement

How SPF, DKIM, and DMARC work

⚠️
Set up in order
Configure SPF first, then DKIM, then DMARC. Setting DMARC to enforcement before DKIM is working will cause legitimate email to bounce.

Set up SPF

Add a TXT record at your root domain (@):

v=spf1 include:spf.protection.outlook.com -all

If you send from other services add their includes before -all:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all
⚠️
Only one SPF record
You can only have one SPF TXT record per domain. If you already have one, edit it - do not add a second. Multiple SPF records cause SPF to fail.

Set up DKIM

Microsoft 365 Defender → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM
  1. Select your domain and click Enable
  2. Microsoft shows you two CNAME records to add to DNS
  3. Add both CNAMEs to your DNS provider
  4. Wait for DNS propagation (up to 48 hours) then enable DKIM

Set up DMARC

Add a TXT record at _dmarc.yourdomain.com. Start with monitoring mode:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1
📝
DMARC tag reference
p=noneStart here
Monitor only - no action on failures
p=quarantineIntermediate step
Send failing email to spam
p=rejectEnd goal
Reject email that fails SPF and DKIM
rua=Reports sent daily
Aggregate reports email address

Verify your setup

Use MXToolbox to check all three are working:

https://mxtoolbox.com/SuperTool.aspx
SPF:   spf:yourdomain.com
DKIM:  dkim:yourdomain.com:selector1
DMARC: dmarc:yourdomain.com

Moving DMARC to enforcement

After collecting DMARC reports for 2-4 weeks and confirming no legitimate sources are failing:

  1. Change p=none to p=quarantine with pct=10 to test on 10% of traffic
  2. Monitor for 1-2 weeks
  3. Increase to pct=100
  4. Change to p=reject when confident all legitimate sources pass

Frequently Asked Questions

Q: What happens if I set DMARC to p=reject too early?

Legitimate email from services not yet covered by SPF or DKIM will be rejected. Always start with p=none, collect reports, identify all sending sources, then move to enforcement.

Q: Do I need DMARC if I already have SPF and DKIM?

Yes. SPF and DKIM alone do not prevent spoofing - they provide the signals. DMARC tells receiving servers what to do when those signals fail.

Q: How do I read DMARC reports?

DMARC reports are XML files sent to your rua email. Tools like dmarcian.com or DMARC Analyzer make them readable.

Related Guides
-> Block Legacy Auth-> Conditional Access-> Why MFA Matters
// need intune set up properly?
Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages