Providers

A - E

F - L

M - S

T - Z

Back to DMARC report

Office365

Supports SPF Supports DKIM

DKIM & SPF Setup for Office 365

SPF Setup for Office 365

To set up or edit your SPF record to include Office 365, you will need to add: include:spf.protection.outlook.com

Edit existing SPF record

Log in to your DNS hosting provider
Look for a TXT containing v=spf1
In your existing SPF record, you will append include:spf.protection.outlook.com
For example, if your existing record looks like v=spf1; mx; ip4:1.2.3.4; you would add the above include as follows v=spf1; mx; ip4:1.2.3.4; include:spf.protection.outlook.com

Create a new SPF record

Follow the instructions from our How to Create a New SPF Record Guide.
In the Value field, enter: v=spf1 include:spf.protection.outlook.com ~all and Save the TXT record.

Records for Subdomains

If you are creating a record for a subdomain, you will want to make sure that you specify the sub part of the domain in the Host/Name/Alias field for most DNS providers.

Enter the sub part of the domain. For example, if the subdomain is mail.mxtoolbox.com you would want to enter mail into that field.

Office 365 SPF and DMARC Alignment

By default, Office 365 will set you up with a onmicrosoft.com domain. This domain will NOT pass SPF Alignment.

To Pass SPF Alignment:

Log in to your Microsoft 365 Admin center
Click Settings, then click Domains
Click +Add Domain
Input your domain/subdomain
Open a separate tab and log in to your DNS Hosting provider and select Add/Create.
Copy the values provided by Microsoft (MX or TXT) and paste them into the new record
Back on the Microsoft Domains page, click the Verify link
Once the changes have propagated in DNS, you can safely delete this record from your DNS

TXT Record Example:

TXT Name:
TXT Value: MS=ms######## (unique ID from the Admin center)
TTL: 3600
Save the record, go back to the Admin center, then select Verify. It typically takes around 15 minutes for record changes to register, but sometimes it can take longer. Give it some time and a few tries to pick up the change.

MX Record Example:

Record Type: MX
Priority: Set to the highest value available, typically 0.
Host Name: @
Points to address: Copy the value from the Admin center and paste it here.
TTL: 3600

DKIM Setup for Office 365

If you have not set up DKIM, Microsoft automatically uses its default signing domain (domain.onmicrosoft.com). After you properly set up DKIM, be sure to enable it with your domain and disable Microsoft's default signing domain. Otherwise, you will fail the DKIM alignment test.

To set up DKIM for Office 365, complete these steps:

Publish two CNAME records for your custom domain at DNS host using the following format:
- Host name: selector1._domainkey.<domain> Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain> TTL: 3600
- Host name: selector2._domainkey.<domain> Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain> TTL: 3600
After publishing the CNAME records in DNS, follow these steps to enable DKIM signing through Microsoft 365:
- Open the Microsoft 365 Defender portal.
- Go to Email & collaboration > Policies & rules > Threat policies page > Rules section > DomainKeys Identified Mail (DKIM). Or, click this link.
- Select the domain by clicking its name.
- In the available details flyout page, change the Sign messages for this domain with DKIM signatures setting to Enabled.
- Repeat the above steps as needed for each custom domain.

Run MxToolbox's DKIM Lookup tool.
- This tool performs a DKIM record test against a domain name and selector for a valid published DKIM key record.

Note: You can also use Exchange Online PowerShell to create DKIM keys. To enable DKIM signing for your custom domain via PowerShell.

DKIM/SPF Setup Highlights

The below sections highlight notable characteristics of setting up DKIM and SPF for this provider as well as highlighting advanced settings if offered by this Outbound Email Source.

SPF

SPF Include Tag Required

This outbound email provider uses an include mechanism to add this provider's IP space to your SPF. To get fully set up with SPF for this provider, you will need to take the provided “include” domain and add it to your SPF record. An example of an SPF record without an include tag is compared to one with the tag added below (the include tags added are denoted in bold).

Initial SPF Record:

HOST	TEXT
yourdomain.com	v=spf1 ~all

SPF record include added:

HOST	TEXT
yourdomain.com	v=spf1 include:sender.net include:new3rdparty.com ~all

This outbound email provider does not allow a custom Return-Path address to be set.

SPF Support for outlook

DKIM

Supports DKIM Signing

Yes, this outbound email provider supports DKIM signing.

DKIM Setup via CNAME

This specific email provider relies on a CNAME record (or multiple records) for DKIM set up. Below is an example a typical CNAME Record for setting up DKIM. The HOST section will typically contain a unique name followed by the domain name you are creating the record for (In the below "s1.domainkey" is the unique name followed by the domain of "yourdomain.com". The ADDRESS section will outline where mail receivers should look for a DKIM record for the domain. Both of these values are typically auto generated when you setup DKIM via an outbound email source.

HOST	ADDRESS
s1.domainkey.yourdomain.com.	s1.domainkey.uXXX.wlXXX.sendgrid.net.

No Custom DKIM records

This outbound email provider does not allow for any modification to the DKIM records they have provided to you.

DKIM Setup Process: Self-Service Dashboard

This email provider offers a self-service dashboard where DKIM records will be setup for the account. To get DKIM setup for this provider you will login to your account at this provider and proceed to the DKIM setup area.

DKIM Support for outlook