DKIM, DMARC, and SPF in Microsoft 365

Setting up DKIM

DKIM stands for DomainKeys Identified Mail

Connect to Exchange Online Powershell

Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
  1. Ensure no config is already active:
Get-DkimSigningConfig -Identity domain.com|Format-List
  1. Create a new DKIM config on the custom domain:
New-DkimSigningConfig -DomainName domain.com -Enabled $false
  1. Generate the CNAMEs to publish:
Get-DkimSigningConfig -Identity domain.com | Format-List Selector1CNAME, Selector2CNAME
  1. Publish the generated CNAMEs in the custom domain's DNS and wait for propagation. Note: CNAME hosts will always be selector1._domainkey, selector2._domainkey Their values will always be whatever Exchange Online PowerShell outputs.
  2. Enable to newly created config:
Set-DkimSigningConfig -Identity domain.com -Enabled $true
  1. Check the validity of the DKIM configuration with a DKIM Checker.

Setting up SPF

SPF stands for Sender Policy Framework

  1. Create your SPF record. Unless any special configuration is needed, use the example:
v=spf1 include:spf.protection.outlook.com -all
  1. Publish the new TXT record to the domain's DNS. Set the host field to the root domain, or @, or domain.com..
  2. Check the validity of the SPF configuration with an SPF Checker.
Note

It may be worth including an a at the beginning of the SPF record, as it appears to be an alias to the sending server. This helps with deliverability when a third party is sending email on behalf of an address and those mails being sent to spam, i.e. RMM tools sending ticket mails.
For example: v=spf1 a include:spf.protection.outlook.com -all

Setting up DMARC

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.

  1. Create your DMARC record. Unless any special configuration is needed, use the example:
v=DMARC1; p=none; pct=100; aspf=r; adkim=r;
  1. Publish the new TXT record to the domain's DNS. Set the host field to _dmarc.
  2. Check the validity of the DMARC configuration with a DMARC Checker.

Example DNS Records

Purpose Type Host Value
DKIM CNAME selector1._domainkey selector1-domain-com._domainkey.domain.onmicrosoft.com
DKIM CNAME selector2._domainkey selector2-domain-com._domainkey.domain.onmicrosoft.com
DMARC TXT @ or _dmarc v=DMARC1; p=none; pct=100; aspf=r; adkim=r;
SPF TXT @ v=spf1 include:spf.protection.outlook.com -all