Microsoft 365 Email DNS Setup: SPF, DKIM and DMARC

Learn how to configure Microsoft 365 email DNS with MX records, SPF, DKIM and DMARC, and avoid common migration and authentication mistakes.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

Microsoft 365 uses DNS records to route inbound email to Exchange Online and authenticate outbound email from your domain. MX records control where incoming mail is delivered, while SPF, DKIM and DMARC help receiving mail servers verify that outgoing messages are authorized.

A correct Microsoft 365 setup usually includes the Microsoft 365 MX record, an SPF record that authorizes Microsoft’s sending infrastructure, DKIM enabled for your custom domain, and a DMARC policy published at _dmarc.yourdomain.com. If old provider records remain active or records are added in the wrong DNS zone, mail routing or authentication can fail.

Quick answer

Quick answer

For Microsoft 365, configure the MX record shown in Microsoft 365 admin center, add SPF with include:spf.protection.outlook.com if Microsoft sends mail for your domain, configure DKIM for the custom domain, and add a DMARC record starting with p=none for monitoring. Always use the current values shown in Microsoft 365 admin center.

Microsoft 365 DNS

A typical Microsoft 365 email setup uses several DNS records:

MX records

Route inbound email to Exchange Online.

SPF

Authorizes Microsoft 365 to send email for the domain.

DKIM

Lets Microsoft 365 sign outgoing messages using your domain.

DMARC

Tells receivers how to handle messages that fail SPF and DKIM alignment.

MX controls incoming mail routing. SPF, DKIM and DMARC help authenticate outgoing mail.

MX records

MX records tell the internet where to deliver incoming email for your domain. For Microsoft 365, the MX record is usually provided in the Microsoft 365 admin center during domain setup.

The exact MX hostname can be domain-specific. Use the value shown in Microsoft 365 admin center instead of copying another domain’s MX record.

Check

Confirm Microsoft 365 MX routing is correct.

MX matches admin center

MX record matches Microsoft 365 admin center.

Old MX removed

Remove old hosting, cPanel, Plesk, Zoho or Google MX records.

Priority correct

MX priority matches Microsoft instructions.

Correct DNS zone

Edit DNS at the active nameserver provider.

Test delivery

Test messages arrive in Exchange Online mailboxes.

Do not change MX records until Microsoft 365 users, mailboxes and aliases are ready.

SPF

If Microsoft 365 sends mail for your domain, SPF should authorize Microsoft’s sending infrastructure.

Common Microsoft 365 SPF
v=spf1 include:spf.protection.outlook.com ~all

If you also send mail from other services, such as a CRM, website form, newsletter platform or billing system, do not create separate SPF records. Merge all legitimate senders into one SPF record.

Combined SPF example
v=spf1 include:spf.protection.outlook.com include:mailservice.example ~all

Use only providers that actually send mail for your domain. Too many includes can exceed SPF’s 10 DNS lookup limit.

DKIM

DKIM for Microsoft 365 is configured for the custom domain and usually uses DNS records provided by Microsoft. In many Microsoft 365 setups, DKIM uses selector-based DNS records such as selector1 and selector2.

Common selector hostname pattern
selector1._domainkey.example.com
selector2._domainkey.example.com

The exact target values should come from Microsoft 365 / Defender admin settings for your domain.

  1. 1. Open Microsoft 365 / Defender email authentication settings

    Find DKIM settings for the custom domain.

  2. 2. Select the custom domain

    Choose the domain you want to sign outgoing mail for.

  3. 3. Review the required DKIM selector records

    Copy the selector hostnames and target values Microsoft provides.

  4. 4. Add the required DNS records at the active DNS provider

    Publish the selector records where your domain’s DNS is hosted.

  5. 5. Wait until DNS is visible

    Allow DNS propagation before enabling signing.

  6. 6. Enable DKIM signing for the domain

    Turn on DKIM signing in Microsoft 365 after DNS is detected.

  7. 7. Send a test message and confirm DKIM passes

    Verify real outgoing mail passes DKIM authentication.

Do not invent DKIM selector targets. Use the values shown by Microsoft for the domain.

DMARC

After SPF and DKIM are configured, add a DMARC record at _dmarc.example.com.

Monitoring mode starter
v=DMARC1; p=none; rua=mailto:dmarc@example.com

p=none lets you collect reports without asking receivers to quarantine or reject mail. Move to quarantine or reject only after confirming legitimate Microsoft 365 and third-party senders pass DMARC alignment.

DMARC does not replace SPF or DKIM. It depends on SPF and DKIM results and alignment.

Setup order

  1. Step 1: Confirm active DNS provider

    Check nameservers so you know where DNS records must be added.

  2. Step 2: Set Microsoft 365 MX

    Route inbound mail to Exchange Online using the MX value shown in Microsoft 365 admin center.

  3. Step 3: Add SPF

    Authorize Microsoft 365 with include:spf.protection.outlook.com and merge any other real sending providers.

  4. Step 4: Enable DKIM

    Add the required selector records, wait for DNS, then enable DKIM signing for the domain.

  5. Step 5: Add DMARC

    Start with p=none and a reporting address.

  6. Step 6: Test real messages

    Send mail to external providers and inspect SPF, DKIM and DMARC results.

Why this matters

Why this matters

This matters because Microsoft 365 email may send or receive mail even when DNS authentication is incomplete, but missing or incorrect SPF, DKIM and DMARC can reduce trust and make troubleshooting harder. Proper authentication helps receivers confirm that Microsoft 365 is authorized to send for your domain.

Microsoft 365 authentication is especially important if your domain also uses newsletters, CRMs, billing systems, website forms, support desks or transactional email tools.

How to check it

Use CheckDomainHealth tools to inspect MX, SPF, DKIM and DMARC records for your domain.

When checking Microsoft 365, review

These six checks help confirm email authentication is complete.

MX records

Confirm inbound mail routes to Microsoft 365 / Exchange Online.

SPF

Confirm the SPF record includes include:spf.protection.outlook.com if Microsoft sends mail for the domain.

DKIM selector records

Confirm Microsoft 365 DKIM selector records exist and resolve.

DKIM signing

Confirm Microsoft 365 is signing real outgoing messages.

DMARC

Confirm a DMARC record exists at _dmarc.yourdomain.com.

Third-party senders

Confirm any non-Microsoft senders are also authenticated.

Check Microsoft 365 DNS

Use SPF, DKIM, DMARC and MX tools to verify your Microsoft 365 email setup.

Run SPF Check →

Common problems

Old MX records still active

High

Inbound mail may route to an old hosting or mail provider instead of Exchange Online.

Next step: Replace old MX records with the Microsoft 365 MX record shown in admin center.

SPF record missing Microsoft include

High

Microsoft 365 may send mail for the domain, but SPF does not authorize Microsoft.

Next step: Add include:spf.protection.outlook.com to the single SPF record.

Multiple SPF records

High

One SPF record was added for Microsoft and another for a different provider.

Next step: Merge all legitimate senders into one SPF TXT record.

DKIM selector records missing

High

The required Microsoft 365 DKIM selector records are not published.

Next step: Add the selector records shown in Microsoft 365 / Defender admin settings.

DKIM not enabled

Medium

DNS records may exist, but Microsoft 365 has not started signing messages for the domain.

Next step: Enable DKIM signing for the domain after DNS is visible.

DMARC missing

Medium

SPF and DKIM may exist, but no DMARC policy is published.

Next step: Add a starter DMARC record with p=none.

Third-party sender fails DMARC

Medium

Microsoft is authenticated, but a CRM, newsletter tool, website form or helpdesk fails SPF/DKIM alignment.

Next step: Configure DKIM/SPF for each third-party sender.

DNS records added at wrong provider

High

Records were added in a DNS zone that is not authoritative for the domain.

Next step: Check active nameservers and edit the live DNS provider.

How to fix it

  1. Step 1: Check active nameservers

    Confirm where DNS is hosted before editing records.

  2. Step 2: Verify MX records

    Use MX Lookup to confirm Exchange Online is the active inbound mail destination.

  3. Step 3: Fix SPF

    Publish one SPF record that includes Microsoft and any other real sending services.

  4. Step 4: Configure DKIM selectors

    Use the selector records shown in Microsoft 365 / Defender admin settings and publish them in DNS.

  5. Step 5: Enable DKIM signing

    After DNS is visible, enable DKIM signing for the custom domain.

  6. Step 6: Add DMARC monitoring

    Publish a p=none DMARC record and collect reports.

  7. Step 7: Test external delivery

    Send messages to external mailboxes and check message headers for SPF, DKIM and DMARC results.

  8. Step 8: Review third-party senders

    Authenticate newsletters, CRMs, billing platforms, website forms, helpdesks and transactional tools separately.

DNS examples

SPF example
v=spf1 include:spf.protection.outlook.com ~all
Combined SPF example
v=spf1 include:spf.protection.outlook.com include:mailservice.example ~all
DKIM selector hostname examples
selector1._domainkey.example.com
selector2._domainkey.example.com
DMARC starter example
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Check commands
dig example.com MX
dig example.com TXT
dig selector1._domainkey.example.com TXT
dig _dmarc.example.com TXT

These examples are illustrative. Use the current MX and DKIM values shown in Microsoft 365 admin center or Microsoft Defender for your domain.

Other senders

Many domains use Microsoft 365 for mailbox email and other services for newsletters, invoices, CRM messages, support tickets or website forms.

  • Does it need an SPF include?
  • Does it support custom DKIM?
  • Does it align with DMARC?
  • Does it use your domain in the visible From address?
  • Does it appear in DMARC reports?

Do not add a second SPF record for each sender. Merge all legitimate senders into one SPF record.

Frequently asked questions

What SPF record does Microsoft 365 use?

If Microsoft 365 sends mail for your domain, the SPF record usually includes include:spf.protection.outlook.com. If you use other senders, merge them into the same SPF record.

Do I need DKIM for Microsoft 365?

Yes, DKIM is strongly recommended. Configure DKIM selector records and enable signing for the custom domain.

Where do I add Microsoft 365 DKIM records?

Add the selector records shown in Microsoft 365 / Defender admin settings at the active DNS provider.

Do I need DMARC for Microsoft 365?

Yes, DMARC is recommended after SPF and DKIM are configured. Start with p=none for monitoring.

Can I have multiple SPF records for Microsoft and another provider?

No. Use one SPF record and include all legitimate senders in that record.

Why does DKIM still fail after adding the records?

Common causes include wrong DNS provider, missing selector records, DNS delay or DKIM not enabled in Microsoft 365.

Does Microsoft 365 authentication cover newsletters or CRMs?

No. Each third-party sender must be authenticated separately with SPF, DKIM and DMARC alignment where supported.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.