How to set up a DNS record, SPF, DKIM, and DMARC for Microsoft Office 365

SPF - Sender Policy Framework

  1. Go to your domain administrator's site. Find DNS Management or Settings.
  2. Add this TXT Record to your DNS.
    1. v=spf1 include:spf.protection.outlook.com -all
  3. This can take up to 48 hours to take effect.

DKIM - Domain Key Identified Mail

  1. Go to your domain administrator's site. Find DNS Management or Settings.
  2. In your DNS settings, create a record type CNAME
  3. CNAME Record 1
    1. Name (host or alias): selector1._domainkey
    2. Points to (alias to): selector1-mailshaketutorial-com._domainkey.mailshaketutorial.onmicrosoft.com
    3. TTL: Enter 3600
  4. CNAME Record 2
    1. Name (host or alias): selector2._domainkey
    2. Points to (alias to): selector2-mailshaketutorial-com._domainkey.mailshaketutorial.onmicrosoft.com
    3. TTL: Enter 3600 or 1 hour
  5. This can take up to 48 hours to take effect.
  6. Enabling DKIM for your domain in the Office 365 Portal:
    1. https://office.com/admin --- https://aka.ms/admincenter
    2. Log into your Admin Account
    3. Navigate to Menu (Top Left)
    4. Click on Admin > Show All > Exchange > Protection > DKIM (Top Nav. Menu)
      1. Yourdomain.com > Authoritative > Enable
      2. Unfortunately, Microsoft has changed the procedure for this, and now in some cases they will require the user to enable DKIM from the previous step using their PowerShell. The PowerShell only works with a PC or Windows computer. I have a Macintosh and consequently couldn’t enable my DKIM using PowerShell.  To get help with PowerShell, we recommend contacting Office365 support – bottom right corner of your Office365 Admin Dashboard.
      3. If you're lucky, you might have a domain that doesn’t require PowerShell to enable the DKIM DNS records. But It’s impossible to determine which ones will allow an easy enable versus PowerShell enable. It’s important to note that the DNS propagation into Office365 can take up to 72 hours.
      4. How to enable DKIM easily:
        1. Click on Show All on the left hand side navigation menu.
        2. Click on Exchange.
        3. Click on Protection on the left hand side navigation menu.
        4. Click on dkim on the TOP navigation menu.
        5. Click on your domains and enable DKIM.
          1. You will see two domains: your actual domain and the onmicrosoft domain.

DMARC - Domain-based Message Authentication, Reporting, and Conformance

  1. Go to your domain admin’s site and open the DNS manager
  2. Create a TXT Record
    1. Name: _dmarc.{domain}
    2. Time to Live (TTL) = Leave at the default or enter 3600 or 1 hour
    3. HOST NAME: _dmarc.domain
    4. VALUE (with email): v=DMARC1; p=quarantine; rua=mailto:{email}; pct=90; sp=none
      1. The email version will send reports to whatever email you put in there. This is totally optional. Here is the value without the email:
    5. VALUE (no email): v=DMARC1; p=quarantine;  pct=90; sp=none
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us