Microsoft 365 Email DNS Setup: SPF, DKIM and DMARC
Learn how to configure Microsoft 365 email DNS with MX records, SPF, DKIM and DMARC, and avoid common migration and authentication mistakes.
Introduction
Microsoft 365 uses DNS records to route inbound email to Exchange Online and authenticate outbound email from your domain. MX records control where incoming mail is delivered, while SPF, DKIM and DMARC help receiving mail servers verify that outgoing messages are authorized.
A correct Microsoft 365 setup usually includes the Microsoft 365 MX record, an SPF record that authorizes Microsoft’s sending infrastructure, DKIM enabled for your custom domain, and a DMARC policy published at _dmarc.yourdomain.com. If old provider records remain active or records are added in the wrong DNS zone, mail routing or authentication can fail.
Quick answer
For Microsoft 365, configure the MX record shown in Microsoft 365 admin center, add SPF with include:spf.protection.outlook.com if Microsoft sends mail for your domain, configure DKIM for the custom domain, and add a DMARC record starting with p=none for monitoring. Always use the current values shown in Microsoft 365 admin center.
Microsoft 365 DNS
A typical Microsoft 365 email setup uses several DNS records:
MX records
Route inbound email to Exchange Online.
SPF
Authorizes Microsoft 365 to send email for the domain.
DKIM
Lets Microsoft 365 sign outgoing messages using your domain.
DMARC
Tells receivers how to handle messages that fail SPF and DKIM alignment.
MX controls incoming mail routing. SPF, DKIM and DMARC help authenticate outgoing mail.
MX records
MX records tell the internet where to deliver incoming email for your domain. For Microsoft 365, the MX record is usually provided in the Microsoft 365 admin center during domain setup.
The exact MX hostname can be domain-specific. Use the value shown in Microsoft 365 admin center instead of copying another domain’s MX record.
Check
Confirm Microsoft 365 MX routing is correct.
MX matches admin center
MX record matches Microsoft 365 admin center.
Old MX removed
Remove old hosting, cPanel, Plesk, Zoho or Google MX records.
Priority correct
MX priority matches Microsoft instructions.
Correct DNS zone
Edit DNS at the active nameserver provider.
Test delivery
Test messages arrive in Exchange Online mailboxes.
Do not change MX records until Microsoft 365 users, mailboxes and aliases are ready.
SPF
If Microsoft 365 sends mail for your domain, SPF should authorize Microsoft’s sending infrastructure.
v=spf1 include:spf.protection.outlook.com ~all
If you also send mail from other services, such as a CRM, website form, newsletter platform or billing system, do not create separate SPF records. Merge all legitimate senders into one SPF record.
v=spf1 include:spf.protection.outlook.com include:mailservice.example ~all
Use only providers that actually send mail for your domain. Too many includes can exceed SPF’s 10 DNS lookup limit.
DKIM
DKIM for Microsoft 365 is configured for the custom domain and usually uses DNS records provided by Microsoft. In many Microsoft 365 setups, DKIM uses selector-based DNS records such as selector1 and selector2.
selector1._domainkey.example.com
selector2._domainkey.example.com
The exact target values should come from Microsoft 365 / Defender admin settings for your domain.
-
1. Open Microsoft 365 / Defender email authentication settings
Find DKIM settings for the custom domain.
-
2. Select the custom domain
Choose the domain you want to sign outgoing mail for.
-
3. Review the required DKIM selector records
Copy the selector hostnames and target values Microsoft provides.
-
4. Add the required DNS records at the active DNS provider
Publish the selector records where your domain’s DNS is hosted.
-
5. Wait until DNS is visible
Allow DNS propagation before enabling signing.
-
6. Enable DKIM signing for the domain
Turn on DKIM signing in Microsoft 365 after DNS is detected.
-
7. Send a test message and confirm DKIM passes
Verify real outgoing mail passes DKIM authentication.
Do not invent DKIM selector targets. Use the values shown by Microsoft for the domain.
DMARC
After SPF and DKIM are configured, add a DMARC record at _dmarc.example.com.
v=DMARC1; p=none; rua=mailto:dmarc@example.com
p=none lets you collect reports without asking receivers to quarantine or reject mail. Move to quarantine or reject only after confirming legitimate Microsoft 365 and third-party senders pass DMARC alignment.
DMARC does not replace SPF or DKIM. It depends on SPF and DKIM results and alignment.
Setup order
-
Step 1: Confirm active DNS provider
Check nameservers so you know where DNS records must be added.
-
Step 2: Set Microsoft 365 MX
Route inbound mail to Exchange Online using the MX value shown in Microsoft 365 admin center.
-
Step 3: Add SPF
Authorize Microsoft 365 with include:spf.protection.outlook.com and merge any other real sending providers.
-
Step 4: Enable DKIM
Add the required selector records, wait for DNS, then enable DKIM signing for the domain.
-
Step 5: Add DMARC
Start with p=none and a reporting address.
-
Step 6: Test real messages
Send mail to external providers and inspect SPF, DKIM and DMARC results.
Why this matters
This matters because Microsoft 365 email may send or receive mail even when DNS authentication is incomplete, but missing or incorrect SPF, DKIM and DMARC can reduce trust and make troubleshooting harder. Proper authentication helps receivers confirm that Microsoft 365 is authorized to send for your domain.
Microsoft 365 authentication is especially important if your domain also uses newsletters, CRMs, billing systems, website forms, support desks or transactional email tools.
How to check it
Use CheckDomainHealth tools to inspect MX, SPF, DKIM and DMARC records for your domain.
When checking Microsoft 365, review
These six checks help confirm email authentication is complete.
MX records
Confirm inbound mail routes to Microsoft 365 / Exchange Online.
SPF
Confirm the SPF record includes include:spf.protection.outlook.com if Microsoft sends mail for the domain.
DKIM selector records
Confirm Microsoft 365 DKIM selector records exist and resolve.
DKIM signing
Confirm Microsoft 365 is signing real outgoing messages.
DMARC
Confirm a DMARC record exists at _dmarc.yourdomain.com.
Third-party senders
Confirm any non-Microsoft senders are also authenticated.
Check Microsoft 365 DNS
Use SPF, DKIM, DMARC and MX tools to verify your Microsoft 365 email setup.
Common problems
Old MX records still active
HighInbound mail may route to an old hosting or mail provider instead of Exchange Online.
Next step: Replace old MX records with the Microsoft 365 MX record shown in admin center.
SPF record missing Microsoft include
HighMicrosoft 365 may send mail for the domain, but SPF does not authorize Microsoft.
Next step: Add include:spf.protection.outlook.com to the single SPF record.
Multiple SPF records
HighOne SPF record was added for Microsoft and another for a different provider.
Next step: Merge all legitimate senders into one SPF TXT record.
DKIM selector records missing
HighThe required Microsoft 365 DKIM selector records are not published.
Next step: Add the selector records shown in Microsoft 365 / Defender admin settings.
DKIM not enabled
MediumDNS records may exist, but Microsoft 365 has not started signing messages for the domain.
Next step: Enable DKIM signing for the domain after DNS is visible.
DMARC missing
MediumSPF and DKIM may exist, but no DMARC policy is published.
Next step: Add a starter DMARC record with p=none.
Third-party sender fails DMARC
MediumMicrosoft is authenticated, but a CRM, newsletter tool, website form or helpdesk fails SPF/DKIM alignment.
Next step: Configure DKIM/SPF for each third-party sender.
DNS records added at wrong provider
HighRecords were added in a DNS zone that is not authoritative for the domain.
Next step: Check active nameservers and edit the live DNS provider.
How to fix it
-
Step 1: Check active nameservers
Confirm where DNS is hosted before editing records.
-
Step 2: Verify MX records
Use MX Lookup to confirm Exchange Online is the active inbound mail destination.
-
Step 3: Fix SPF
Publish one SPF record that includes Microsoft and any other real sending services.
-
Step 4: Configure DKIM selectors
Use the selector records shown in Microsoft 365 / Defender admin settings and publish them in DNS.
-
Step 5: Enable DKIM signing
After DNS is visible, enable DKIM signing for the custom domain.
-
Step 6: Add DMARC monitoring
Publish a p=none DMARC record and collect reports.
-
Step 7: Test external delivery
Send messages to external mailboxes and check message headers for SPF, DKIM and DMARC results.
-
Step 8: Review third-party senders
Authenticate newsletters, CRMs, billing platforms, website forms, helpdesks and transactional tools separately.
DNS examples
v=spf1 include:spf.protection.outlook.com ~all
v=spf1 include:spf.protection.outlook.com include:mailservice.example ~all
selector1._domainkey.example.com
selector2._domainkey.example.com
v=DMARC1; p=none; rua=mailto:dmarc@example.com
dig example.com MX
dig example.com TXT
dig selector1._domainkey.example.com TXT
dig _dmarc.example.com TXT
These examples are illustrative. Use the current MX and DKIM values shown in Microsoft 365 admin center or Microsoft Defender for your domain.
Other senders
Many domains use Microsoft 365 for mailbox email and other services for newsletters, invoices, CRM messages, support tickets or website forms.
- Does it need an SPF include?
- Does it support custom DKIM?
- Does it align with DMARC?
- Does it use your domain in the visible From address?
- Does it appear in DMARC reports?
Do not add a second SPF record for each sender. Merge all legitimate senders into one SPF record.
Frequently asked questions
What SPF record does Microsoft 365 use?
If Microsoft 365 sends mail for your domain, the SPF record usually includes include:spf.protection.outlook.com. If you use other senders, merge them into the same SPF record.
Do I need DKIM for Microsoft 365?
Yes, DKIM is strongly recommended. Configure DKIM selector records and enable signing for the custom domain.
Where do I add Microsoft 365 DKIM records?
Add the selector records shown in Microsoft 365 / Defender admin settings at the active DNS provider.
Do I need DMARC for Microsoft 365?
Yes, DMARC is recommended after SPF and DKIM are configured. Start with p=none for monitoring.
Can I have multiple SPF records for Microsoft and another provider?
No. Use one SPF record and include all legitimate senders in that record.
Why does DKIM still fail after adding the records?
Common causes include wrong DNS provider, missing selector records, DNS delay or DKIM not enabled in Microsoft 365.
Does Microsoft 365 authentication cover newsletters or CRMs?
No. Each third-party sender must be authenticated separately with SPF, DKIM and DMARC alignment where supported.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!