For Microsoft 365 email authentication: SPF record is v=spf1 include:spf.protection.outlook.com -all. DKIM is enabled in Microsoft 365 Defender → Email Authentication → DKIM → select domain → Enable. DMARC is v=DMARC1; p=none; rua=mailto:[email protected] added as TXT on _dmarc.yourdomain.com. As of May 2025, Microsoft enforces SPF, DKIM, and DMARC for bulk senders to Outlook.com — configuration is now mandatory, not optional.
Microsoft 365 Email Authentication: SPF, DKIM, DMARC Setup Guide
Step 1: SPF Record
Add the DNS Record
| Type | Host | Value |
|---|---|---|
| TXT | @ (root domain) | v=spf1 include:spf.protection.outlook.com -all |
If you use other sending services alongside M365:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all
Note: spf.protection.outlook.com costs 2-3 DNS lookups of your 10-lookup limit.
Step 2: DKIM (Custom Domain Signing)
By default, Microsoft 365 signs email with its own onmicrosoft.com DKIM key. This passes DKIM but fails DMARC alignment because the signing domain doesn't match your From: domain.
You must enable custom DKIM signing.
Publish CNAME Records
Add two CNAME records to your domain's DNS:
| Type | Host | Value |
|---|---|---|
| CNAME | selector1._domainkey | selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com |
| CNAME | selector2._domainkey | selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com |
Replace yourdomain-com with your domain using hyphens (e.g., mailflowauthority-com).
Replace yourtenant with your Microsoft 365 tenant name.
Enable DKIM in Microsoft 365
- Go to Microsoft 365 Defender portal (security.microsoft.com)
- Navigate to Email & Collaboration → Policies & rules → Threat policies
- Click Email Authentication Settings → DKIM
- Select your domain
- Toggle Sign messages for this domain with DKIM signatures to Enabled
If the CNAME records haven't propagated, enabling will fail. Wait 1-4 hours after adding DNS records.
Step 3: DMARC
Add the DNS Record
| Type | Host | Value |
|---|---|---|
| TXT | _dmarc | v=DMARC1; p=none; rua=mailto:[email protected] |
Start with p=none and advance following our DMARC advancement guide.
Step 4: Verification
Send a test email from Microsoft 365 to a personal Gmail address.
Open the email → three dots → Show Original. Check:
Authentication-Results:
spf=pass (...outlook.com...)
dkim=pass (header.d=yourdomain.com)
dmarc=pass (p=NONE)
All three must show pass. If DKIM shows header.d=yourtenant.onmicrosoft.com instead of your domain, custom DKIM is not enabled — go back to Step 2.
Microsoft's May 2025 Bulk Sender Enforcement
Microsoft followed Gmail and Yahoo with their own bulk sender requirements, effective May 2025:
- SPF must pass for your sending domain
- DKIM must pass with domain alignment
- DMARC must be published at minimum p=none
- Functional unsubscribe required
- Compliant P2 From: address (real address, real domain)
- Non-compliant email → junked initially, rejected eventually
This makes authentication configuration mandatory for anyone sending to Outlook.com, Hotmail.com, and Live.com addresses.
M365 SMTP Limits
If using Microsoft 365 as an SMTP relay for applications:
| Limit | Value |
|---|---|
| Recipients per day | 10,000 |
| Recipients per message | 500 |
| Messages per minute | 30 |
| Concurrent connections | 20 |
For transactional email above these limits, use a dedicated service (Postmark, SendGrid, AWS SES).
Practitioner note: The #1 Microsoft 365 DKIM mistake: admins don't realize that M365 signs with the onmicrosoft.com domain by default, not their custom domain. DKIM technically "passes" but DMARC alignment fails because the signing domain doesn't match the From: domain. You MUST enable custom domain DKIM signing — it's not automatic.
Practitioner note: Microsoft's May 2025 enforcement is less discussed than Gmail/Yahoo's 2024 requirements, but it matters. If you've only configured authentication for Gmail compliance, verify it also satisfies Microsoft's requirements — they're similar but have some differences in enforcement behavior.
If you need Microsoft 365 authentication configured alongside your other sending services, schedule a consultation — I handle multi-service authentication architecture.
Sources
- Microsoft: Set up DKIM
- Microsoft: Email Authentication in EOP
- Microsoft: Strengthening Email Ecosystem
v1.0 · March 2026
Frequently Asked Questions
Does Microsoft 365 enable DKIM automatically?
Microsoft 365 signs email with Microsoft's own DKIM key by default (using the onmicrosoft.com domain). However, for proper DMARC alignment, you must enable custom DKIM signing with YOUR domain. This requires publishing CNAME records and enabling in the Defender portal.
What are Microsoft's 2025 bulk sender requirements?
As of May 2025, Microsoft requires bulk senders to Outlook.com/Hotmail to have: SPF passing, DKIM passing, DMARC at p=none or higher, compliant From: address, functional unsubscribe, and list hygiene practices. Non-compliance results in email being junked or rejected.
Why do my Microsoft 365 emails fail DMARC?
Most common cause: custom DKIM is not enabled. M365 signs with its onmicrosoft.com domain by default, which doesn't align with your From: domain. Enable custom DKIM signing in Defender. Second cause: SPF record doesn't include spf.protection.outlook.com.
What CNAME records do I need for M365 DKIM?
Two CNAME records per domain: selector1._domainkey.yourdomain.com → selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com, and selector2._domainkey.yourdomain.com → selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com.
Can I use Microsoft 365 SMTP for transactional email?
Microsoft 365 has sending limits: 10,000 recipients/day and 30 messages/minute. For transactional email at scale, use a dedicated transactional service (Postmark, SendGrid) instead. M365 SMTP relay is suitable for low-volume application email and internal notifications.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.