How to Setup SPF, DKIM and DMARC in Office 365? Step-by-Step Guide

How to setup SPF, DKIM, and DMARC in Office 365? To configure SPF, DKIM, and DMARC in Office 365, add an SPF TXT record in your domain DNS with the value v=spf1 include:spf.protection.outlook.com -all to authorize Microsoft 365 mail servers. Then, support the use of DKIM by creating two CNAME records shown in the Microsoft 365 Security and Compliance Center in your DNS, and then turn on the use of DKIM signing in the portal. Lastly, establish a DMARC TXT record in your DNS (e.g., v=DMARC1; p=none; rua=mailto:[email protected]) to specify what receiving servers should do with mail that fails SPF or DKIM. A monitoring mode (p=none), then slowly progressing to quarantine or reject, will make your emails authenticated, secure, and less prone to be labeled spam.

This guide will describe what SPF, DKIM, and DMARC are, their significance, and give a step-by-step guide to configuring them in Office 365.

What Are SPF, DKIM, and DMARC?

Prior to plunging into setup, we should know the ropes:

1. SPF (Sender Policy Framework)

SPF is a DNS record that defines which mail servers are permitted to send mail on your behalf. By checking SPF, when receiving servers, it is possible to determine whether the email was sent by an authorized source.

Example SPF record for Office 365:

ini   Copy code
v=spf1 include:spf.protection.outlook.com -all

2. DKIM (DomainKeys Identified Mail)

DKIM signs your outgoing mail using a digital signature. The mail server of the recipient queries the DNS to get the key and checks whether the message has not been modified on the way.

3. DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC is a combination of the SPF and DKIM authentication outcomes and allows you to specify what to do when an email does not pass the tests (none, quarantine, or reject). It also reports who is sending emails under your domain.

Example DMARC record:

ini   Copy code
v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; aspf=r;

Why Set Up SPF, DKIM, & DMARC in Office 365?

• Stop Email Spoofing: Guards your domain against phishing.
• Increase email deliverability: Keeps your emails out of spam.
• Brand Protection: Establishes confidence with the customers by assuring them that the emails are genuinely yours.
• Become Visible: DMARC reports assist you in tracking the abuse of your domain.

Otherwise, your emails will be considered spam, or even worse, your domain can be abused by hackers.

Step-by-Step Guide to Setup SPF, DKIM, and DMARC in Office 365

Step-1: Set Up SPF in Office 365

1. Log in to your domain registrar (DNS provider).
   This may be GoDaddy, Namecheap, Cloudflare, or wherever your domain is hosted.
2. Add a TXT record for SPF.
   • Type: TXT
   • Host/Name: @
   • Value:

     ini   Copy code
     v=spf1 include:spf.protection.outlook.com -all

   • TTL: 3600 (or default)
3. Save the record.
   This notifies the recipient servers that Office 365 has received permission to send emails on your behalf.
4. Verify SPF record.
   Monitor the health of your SPF with an online tool, like MXToolbox or Microsoft Remote Connectivity Analyzer.

Step-2: Enable DKIM in Office 365

1. Open Microsoft 365 Security & Compliance Center and log in.
   Visit: https://security.microsoft.com
2. Navigate to DKIM settings.
   • Go to Email and collaboration Policies & rules, Threat policies DKIM.
3. Add CNAME records for DKIM.
   Microsoft needs two CNAMEs in your DNS. They usually look like this:

   • selector1._domainkey.yourdomain.com → selector1-yourdomain-com._domainkey.<initialdomain>.onmicrosoft.com

   • selector2._domainkey.yourdomain.com → selector2-yourdomain-com._domainkey.<initialdomain>.onmicrosoft.com

4. Publish the records.
   Enter the following CNAME records after logging into your DNS provider.
5. Activate DKIM in Office 365.
   After records propagate, return to the Security & Compliance Center and click Enable.
6. Verify DKIM is working.
   Send a test mail to Gmail or verify that the DKIM signature is correct with tools such as the DKIMCore.

Step-3: Configure DMARC in Office 365

1. Decide on your DMARC policy.
   You should begin with none (monitoring mode) and then proceed to quarantine or reject when you are sure.
2. Create a TXT record for DMARC.
   • Type: TXT
   • Host/Name: _dmarc
   • Value:

     sql   Copy code
     v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; aspf=r;

3. Save the record.
   This directs mail servers on what to do with messages that do not pass SPF/DKIM tests.
4. Monitor DMARC reports.
   You will begin receiving aggregate reports at your set email address. These assist you in tuning your SPF and DKIM configuration, then proceed to more stringent policies.

Office 365 Best Practices for SPF, DKIM, & DMARC

• Include -all rather than -all in SPF: This makes checks stringent, and it refuses to accept unauthorized senders.
• Periodically Check DMARC Reports: Check the reports on a weekly basis to find out the unauthorised senders.
• Tighten DMARC Policy: Initially p=none, then quarantine reject.
• Keep DNS Records: When you use third-party email services (e.g., Mailchimp, SendGrid), you can also add their SPF/DKIM records.
• Test After Changes: You can test SPF, DKIM, and DMARC after each update using tools like MXToolbox.

Common Issues and Troubleshooting

1. SPF Too Many DNS Lookups: SPF allows 10 DNS lookups. Consolidate entries where necessary.
2. DKIM Not Validating: Ensure CNAME records have been well configured and that DNS is effective.
3. DMARC Reports Not Received: Recheck the email address on the rua and ruf fields. Certain providers can require 24 48 hours to begin sending reports.
4. Email Still Going to Spam: Make sure that your sending IPs are approved, and your content is spam filter-friendly.

Final Thoughts

One of the best methods to secure your business against phishing, spoofing, and spam is to install SPF, DKIM, and DMARC in Office 365. SPF can be used to make sure that only approved servers can transmit emails on your behalf, whereas DKIM can be used to verify cryptographically, and DMARC can be used to combine both with actionable policies and useful reporting.

With a close adoption and monitoring of these email authentication procedures, not only do you protect your domain, but you also enhance email deliverability, customer trust, and brand image. Begin with SPF, then activate DKIM and implement DMARC gradually to protect to the maximum.