A - E
F - L
M - S
T - Z


Supports SPF Supports DKIM

How to Enable SPF for Office 365


To utilize a custom domain, the Office 365 provider requires an SPF TXT record be added to the DNS record. This TXT record is then used by DNS to recognize email servers allowed to send messages on behalf of your custom/third-party domain. v=spf1 ~all

To set up your SPF record with Office 365 or to edit your current SPF record to include Office 365, follow these steps:

  1. Sign in to your domain account at your domain host.
  2. Locate page for updating your domain’s DNS records (e.g., DNS Management, Name Server Management, Advanced Settings).
  3. Find your TXT records to check if you have an existing SPF record (record will start with v=spf1).
  • If you have an existing SPF record, follow the instructions below to update an existing SPF record with multiple mail servers.
    • In your existing SPF record, you will append
    • For example, if your existing record looks like v=spf1; mx; ip4:; you would add the above include as follows v=spf1; mx; ip4:;
  • If you do not have an SPF record, create a new TXT record with the following values:
    • In the Name/Host/Alias field, enter @ or leave blank (other DNS records might indicate which one you need).
    • In the Time to Live (TTL) field, enter 3600 or leave the default.
    • In the Value/Answer/Destination field, enter: v=spf1; ~all and Save the TXT record.


How to Enable DKIM for Office 365


DKIM defines a domain-level digital signature authentication framework for email by permitting a signing domain to claim responsibility for a message in transit. DKIM authenticates the reputation and identity of the message sender and their email signing practices for additional handling (i.e., whether email gets delivered, quarantined, or rejected). DKIM authentication of a message is validated via a cryptographic signature and querying the signer’s domain to retrieve a public key. If you plan to set up DMARC (recommended by MxToolbox and Microsoft) for your custom domain, you should also configure DKIM.

Note: If you have not set up DKIM, Microsoft automatically uses its default signing domain ( After you properly set up DKIM, be sure to enable it with your domain and disable Microsoft's default signing domain. Otherwise, you will likely fail alignment.

To set up DKIM for Office 365, complete these steps:

  1. Publish two CNAME records for your custom domain at DNS host using the following format:
    • Host name:        selector1._domainkey.<domain>
      Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain> 
      TTL:            3600
    • Host name:        selector2._domainkey.<domain>
      Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain> 
      TTL:            3600
  2. Enable DKIM signing for your custom domain.
  • After publishing the CNAME records in DNS, follow these steps to enable DKIM signing through Microsoft 365:
    • Open the Microsoft 365 Defender portal.
    • Go to Email & collaboration > Policies & rules > Threat policies page > Rules section > DomainKeys Identified Mail (DKIM). Or, click this link.
    • Select the domain by clicking its name.
    • In the available details flyout page, change the Sign messages for this domain with DKIM signatures setting to Enabled.
    • Repeat the above steps as needed for each custom domain.

     3. Run MxToolbox's DKIM Lookup tool.

  • This tool performs a DKIM record test against a domain name and selector for a valid published DKIM key record.

You can also use Exchange Online PowerShell to create DKIM keys. To enable DKIM signing for your custom domain via PowerShell, click here. [article to come]

If you need to upgrade your 1024-bit DKIM encryption key to 2048 bitness, click here. [article to come] The PowerShell platform allows you to complete this process in a few simple steps.

DKIM is designed to help prevent spoofing, but is more effective in conjunction with SPF and DMARC. After you have properly enabled DKIM, be sure to set up SFP for your domain if needed. Once those pieces are in place, implement DMARC to validate email. Your delivery rates will improve, along with your company's email reputation.

DKIM/SPF Setup Highlights

The below sections highlight notable characteristics of setting up DKIM and SPF for this provider as well as highlighting advanced settings if offered by this Outbound Email Source.


SPF Include Tag Required

This outbound email provider uses an include mechanism to add this provider's IP space to your SPF. To get fully set up with SPF for this provider, you will need to take the provided “include” domain and add it to your SPF record. An example of an SPF record without an include tag is compared to one with the tag added below (the include tags added are denoted in bold).


Initial SPF Record:

HOST TEXT v=spf1 ~all


SPF record include added:

HOST TEXT v=spf1 ~all


This outbound email provider does not allow a custom Return-Path address to be set. 


Supports DKIM Signing

Yes, this outbound email provider supports DKIM signing.

DKIM Setup via CNAME

This specific email provider relies on a CNAME record (or multiple records) for DKIM set up. Below is an example a typical  CNAME Record for setting up DKIM. The HOST section will typically contain a unique name followed by the domain name you are creating the record for (In the below "s1.domainkey" is the unique name followed by the domain of "". The ADDRESS section will outline where mail receivers should look for a DKIM record for the domain. Both of these values are typically auto generated when you setup DKIM via an outbound email source.



No Custom DKIM records

This outbound email provider does not allow for any modification to the DKIM records they have provided to you.

DKIM Setup Process: Self-Service Dashboard

This email provider offers a self-service dashboard where DKIM records will be setup for the account. To get DKIM setup for this provider you will login to your account at this provider and proceed to the DKIM setup area.