Office365

To utilize a custom domain, the Office 365 provider requires an SPF TXT record be added to the DNS record. This TXT record is then used by DNS to recognize email servers allowed to send messages on behalf of your custom/third-party domain. v=spf1 ~all

To set up your SPF record with Office 365 or to edit your current SPF record to include Office 365, follow these steps:

1. Sign in to your domain account at your domain host.
2. Locate page for updating your domain’s DNS records (e.g., DNS Management, Name Server Management, Advanced Settings).
3. Find your TXT records to check if you have an existing SPF record (record will start with v=spf1).

• If you have an existing SPF record, follow the instructions below to update an existing SPF record with multiple mail servers.
  • In your existing SPF record, you will append include:spf.protection.outlook.com
  • For example, if your existing record looks like v=spf1; mx; ip4:1.2.3.4; you would add the above include as follows v=spf1; mx; ip4:1.2.3.4; include:spf.protection.outlook.com
• If you do not have an SPF record, create a new TXT record with the following values:
  • In the Name/Host/Alias field, enter @ or leave blank (other DNS records might indicate which one you need).
  • In the Time to Live (TTL) field, enter 3600 or leave the default.
  • In the Value/Answer/Destination field, enter: v=spf1; include:spf.protection.outlook.com ~all and Save the TXT record.

DKIM defines a domain-level digital signature authentication framework for email by permitting a signing domain to claim responsibility for a message in transit. DKIM authenticates the reputation and identity of the message sender and their email signing practices for additional handling (i.e., whether email gets delivered, quarantined, or rejected). DKIM authentication of a message is validated via a cryptographic signature and querying the signer’s domain to retrieve a public key. If you plan to set up DMARC (recommended by MxToolbox and Microsoft) for your custom domain, you should also configure DKIM.

Note: If you have not set up DKIM, Microsoft automatically uses its default signing domain (domain.onmicrosoft.com). After you properly set up DKIM, be sure to enable it with your domain and disable Microsoft's default signing domain. Otherwise, you will likely fail alignment.

To set up DKIM for Office 365, complete these steps:

1. Publish two CNAME records for your custom domain at DNS host using the following format:
   • Host name:        selector1._domainkey.<domain>
     Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain> 
     TTL:            3600
   • Host name:        selector2._domainkey.<domain>
     Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain> 
     TTL:            3600
2. Enable DKIM signing for your custom domain.

• After publishing the CNAME records in DNS, follow these steps to enable DKIM signing through Microsoft 365:
  • Open the Microsoft 365 Defender portal.
  • Go to Email & collaboration > Policies & rules > Threat policies page > Rules section > DomainKeys Identified Mail (DKIM). Or, click this link.
  • Select the domain by clicking its name.
  • In the available details flyout page, change the Sign messages for this domain with DKIM signatures setting to Enabled.
  • Repeat the above steps as needed for each custom domain.

     3. Run MxToolbox's DKIM Lookup tool.

• This tool performs a DKIM record test against a domain name and selector for a valid published DKIM key record.

You can also use Exchange Online PowerShell to create DKIM keys. To enable DKIM signing for your custom domain via PowerShell, click here. [article to come]

If you need to upgrade your 1024-bit DKIM encryption key to 2048 bitness, click here. [article to come] The PowerShell platform allows you to complete this process in a few simple steps.

DKIM is designed to help prevent spoofing, but is more effective in conjunction with SPF and DMARC. After you have properly enabled DKIM, be sure to set up SFP for your domain if needed. Once those pieces are in place, implement DMARC to validate email. Your delivery rates will improve, along with your company's email reputation.