Microsoft 365 email authentication requires SPF (include:spf.protection.outlook.com), DKIM (enabled via Microsoft Defender portal with two CNAME records per domain), and DMARC. Microsoft 365 publishes SPF automatically for your .onmicrosoft.com domain, but you must configure it for your custom domain. DKIM requires manual activation in the Defender portal after adding CNAME records.
Email Authentication for Microsoft 365: Complete Guide
SPF Setup
Add this TXT record:
Type: TXT
Host: @
Value: v=spf1 include:spf.protection.outlook.com ~all
If you also use other senders:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net ~all
Microsoft's SPF include uses several DNS lookups. Monitor your total against the 10 lookup limit.
DKIM Setup
Microsoft 365 DKIM uses CNAME records that point to Microsoft's DKIM infrastructure, so they handle key rotation automatically.
Step 1: Add CNAME Records
Host: selector1._domainkey
Value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Type: CNAME
Host: selector2._domainkey
Value: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Type: CNAME
Replace yourdomain-com with your domain (dots replaced with dashes) and yourtenant with your Microsoft 365 tenant name.
Step 2: Enable DKIM Signing
- Go to Microsoft Defender portal → Email & collaboration → Policies & rules → Threat policies → DKIM
- Select your domain
- Toggle Sign messages for this domain with DKIM signatures to On
Practitioner note: Microsoft's DKIM CNAME approach is actually better than Google's TXT approach for one reason: automatic key rotation. You never need to update DNS for key changes. The downside is the CNAME values are ugly and easy to typo.
DMARC Setup
Publish your DMARC record:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]
Microsoft 365 handles DMARC alignment for both SPF and DKIM automatically. Progress through the enforcement timeline once you've verified reports look clean.
MTA-STS
Microsoft 365 MX records support TLS. Set up MTA-STS to enforce it.
Policy file listing Microsoft MX:
version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 604800
The wildcard covers all Microsoft MX hostnames. See MTA-STS hosting options.
Don't forget TLS-RPT for monitoring.
Verification
Check authentication in message headers. In Outlook:
- Open a sent message
- View message properties / headers
- Look for
Authentication-Resultsheader containingspf=pass,dkim=pass,dmarc=pass
Or use Microsoft's built-in tools:
- Message trace in Exchange Admin Center
- Email entity page in Microsoft Defender
Practitioner note: The most common Microsoft 365 auth issue: people enable DKIM in the portal before the CNAME records propagate. Microsoft shows an error and people assume it's broken. Wait 30-60 minutes after adding CNAMEs, then try again.
Common Microsoft 365 Auth Issues
| Problem | Fix |
|---|---|
| DKIM toggle won't enable | CNAME records haven't propagated — wait and retry |
| SPF includes failing | Check that spf.protection.outlook.com is correctly spelled |
| DMARC alignment failure | Verify your From domain matches the configured domain |
| Connector breaking auth | Custom connectors can modify headers — check connector config |
Practitioner note: If you're using Microsoft 365 with a third-party email security gateway (Proofpoint, Mimecast), connector configuration is critical. Misconfigured connectors are the #1 cause of authentication failures in enterprise M365 deployments.
For full Microsoft 365 email authentication setup and verification, schedule a consultation.
Sources
- Microsoft: Set up SPF
- Microsoft: Use DKIM
- Microsoft: Set up DMARC
- Microsoft: MTA-STS Support
v1.0 · April 2026
Frequently Asked Questions
What SPF record does Microsoft 365 need?
Add v=spf1 include:spf.protection.outlook.com ~all as a TXT record. If you use other services, include them too. Microsoft's include counts toward the 10 DNS lookup limit.
How do I enable DKIM in Microsoft 365?
In Microsoft Defender portal, go to Email & collaboration > Policies > DKIM. Add two CNAME records to your DNS (selector1 and selector2), wait for propagation, then toggle DKIM signing on for your domain.
Does Microsoft 365 support MTA-STS?
Microsoft 365 supports MTA-STS for inbound email. You can publish an MTA-STS policy listing Microsoft's MX records. Microsoft also evaluates MTA-STS policies when sending outbound email.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.