Skip to main content
All CollectionsSource Configuration
Microsoft 365 SPF and DKIM Configuration: Step by Step
Microsoft 365 SPF and DKIM Configuration: Step by Step
Updated over a week ago

Microsoft

Our informative post will help you find out how you can setup Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures on your Microsoft 365 email to eliminate spam from your domain and increase security.

Microsoft requires you to configure the following DNS records for your domain: Microsoft 365 SPF(previously called o365 spf record) and DKIM.

SPF records allow receiving servers to check whether an email with the specified source domain was actually sent from a server authorized by the owner of this domain.

DKIM adds a digital signature to each message. This allows the receiving server to check if the message has been sent from an authorized sender, faked or changed upon delivery.

Microsoft 365 (o365) SPF Record Configuration

In order to authorize Microsoft 365 to send emails on your domain behalf, you will need to create or update your SPF Record which includes the following mechanism: include:spf.protection.outlook.com

You can achieve this easily with our SPF Record Generator tool; here are the steps:

Step 1: Generate a new Microsoft office 365 SPF Record

SPF-For-Microsoft365-Office365-EasyDMARC

Step 2: Copy the newly generated office 365 SPF Record

Step 3: Update your DNS TXT Record for SPF at your domain provider (We will show examples with GoDaddy and Cloudflare)

E.g GoDaddy

SPF-For-Microsoft365-Office365-EasyDMARC-GoDaddy-TXT

E.g Cloudflare

SPF-For-Microsoft365-Office365-EasyDMARC-Cloudflare-TXT

Step 4: Click Save

Important Note: Make sure you don’t create multiple SPF TXT records for office 365 on one domain. If you do, SPF will return a PermError.

If you are using multiple IPs, ESPs, Third-Party services for your various email strategies, you should include them in a single SPF Record.

E.g v=spf1 ip4:17.67.137.221 include:spf.protection.outlook.com include:thirdpartyservice.com ~all

Microsoft 365 DKIM Configuration

Step 1: Go to the DKIM Page from your Microsoft 365 Defender portal https://security.microsoft.com/dkimv2

Step 2: Next, select your organizational domain name, and click “Enable”.

b68668a9fdaeb8d38c96b16fb57653a4

Step 3: Once you click on the “Enable”, a new pop up window will appear with the applicable CNAME Records.

b58e22981aa41c4b0f6247a26334af91

To summarize, this contains 2 separate CNAME Records which looks like this:

  1. Type: CNAME
    Host Name: selector1._domainkey
    Value: selector1-yourdomain-com._domainkey.tenantdomain.onmicrosoft.com (This part is UNIQUE to each domain)

  2. Type: CNAME
    Host Name: selector2._domainkey
    Value: selector2-yourdomain-com._domainkey.tenantdomain.onmicrosoft.com (This part is UNIQUE to each domain)

Step 4: Copy these 2 CNAME Values and paste them in your DNS Provider (In this example, we’ll be using CloudFlare)

1st CNAME:

4c5d33a4d9a5645aaf3dd398e8341d29

2nd CNAME:


Step 5: Once the 2 CNAME Records are implemented in your DNS, go back to your Microsoft 365 Defender portal and re-click the “Enable” button. If everything has been configured correctly, you’ll get to see the green check with the “Enabled” notification.

9d4389efb6dc71582831cf4694e35ca7

Congrats, you now successfully authenticated your outgoing mail stream from Office 365 with SPF and DKIM.


Related Articles
Mandrill SPF and DKIM Setup: Step By Step
Why SPF, DKIM, and DMARC Work Best Together
Email Authentication: The Key to Secure Email Communication
Did this answer your question?