How to set up a DNS record, SPF, DKIM, and DMARC for Microsoft Office 365

SPF - Sender Policy Framework

  1. Go to your domain administrator's site. Find DNS Management or Settings.
  2. Add this TXT Record to your DNS.
    1. v=spf1 include:spf.protection.outlook.com -all
  3. This can take up to 48 hours to take effect.

DKIM - Domain Key Identified Mail

  1. Go to your domain administrator's site. Find DNS Management or Settings.
  2. In your DNS settings, create a record type CNAME
  3. CNAME Record 1
    1. Name (host or alias): selector1._domainkey
    2. Points to (alias to): selector1-mailshaketutorial-com._domainkey.mailshaketutorial.onmicrosoft.com
    3. TTL: Enter 3600
    4. Replace mailshaketutorial-com with your domain
  4. CNAME Record 2
    1. Name (host or alias): selector2._domainkey
    2. Points to (alias to): selector2-mailshaketutorial-com._domainkey.mailshaketutorial.onmicrosoft.com
    3. TTL: Enter 3600 or 1 hour
    4. Replace mailshaketutorial-com with your domain
  5. This can take up to 48 hours to take effect.
  6. Enabling DKIM for your domain in the Office 365 Portal:
    1. https://office.com/admin --- https://aka.ms/admincenter
    2. Log into your Admin Account
    3. Navigate to Menu (Top Left)
    4. Click on Admin > Show All > Exchange > Protection > DKIM (Top Nav. Menu)
      1. Yourdomain.com > Authoritative > Enable
      2. Unfortunately, Microsoft has changed the procedure for this, and now in some cases they will require the user to enable DKIM from the previous step using their PowerShell. The PowerShell only works with a PC or Windows computer. I have a Macintosh and consequently couldn’t enable my DKIM using PowerShell.  To get help with PowerShell, we recommend contacting Office365 support – bottom right corner of your Office365 Admin Dashboard.
      3. If you're lucky, you might have a domain that doesn’t require PowerShell to enable the DKIM DNS records. But It’s impossible to determine which ones will allow an easy enable versus PowerShell enable. It’s important to note that the DNS propagation into Office365 can take up to 72 hours.
      4. How to enable DKIM easily:
        1. Click on Show, All on the left-hand side navigation menu
        2. Click on Exchange.
        3. Click on Protection on the left-hand side navigation menu
        4. Click on dkim on the TOP navigation menu.
        5. Click on your domains and enable DKIM.
          1. You will see two domains: your actual domain and the Microsoft domain.

DMARC - Domain-based Message Authentication, Reporting, and Conformance

  1. Go to your domain admin’s site and open the DNS manager
  2. Create a TXT Record
    1. Name: _dmarc.{domain}
    2. Time to Live (TTL) = Leave at the default or enter 3600 or 1 hour
    3. HOST NAME: _dmarc
    4. VALUE (with email): v=DMARC1; p=none; rua=mailto:email@yourdomain.com
      • The email version will send reports to whatever email you put in there. 
    5. If you're struggling with formatting the DMARC Record, we like this DMARC record generator.

Note: We suggest starting with a "none" policy in your DMARC record to gather data and observe how your emails are processed without impacting their delivery. This lets you identify any legitimate emails that might fail DMARC checks.

After about 2-4 weeks of monitoring and ensuring that legitimate emails are passing DMARC checks, you can switch to the "quarantine" policy. This will direct emails that fail DMARC checks to the spam or junk folder, allowing you to see what's being affected.

If, after another 2-4 weeks, the quarantine policy isn't causing any major issues and things seem stable, you can then move to the "reject" policy. This will ensure that emails failing DMARC checks are outright rejected and not delivered.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us