DKIM & SPF Setup for Office 365
SPF Setup for Office 365
To set up or edit your SPF record to include Office 365, you will need to add: include:spf.protection.outlook.com
Edit existing SPF record
- Log in to your DNS hosting provider
- Look for a TXT containing v=spf1
- In your existing SPF record, you will append include:spf.protection.outlook.com
- For example, if your existing record looks like v=spf1; mx; ip4:1.2.3.4; you would add the above include as follows v=spf1; mx; ip4:1.2.3.4; include:spf.protection.outlook.com
Create a new SPF record
- Follow the instructions from our How to Create a New SPF Record Guide.
- In the Value field, enter: v=spf1 include:spf.protection.outlook.com ~all and Save the TXT record.
Records for Subdomains
If you are creating a record for a subdomain, you will want to make sure that you specify the sub part of the domain in the Host/Name/Alias field for most DNS providers.
- Enter the sub part of the domain. For example, if the subdomain is mail.mxtoolbox.com you would want to enter mail into that field.
Office 365 SPF and DMARC Alignment
By default, Office 365 will set you up with a onmicrosoft.com domain. This domain will NOT pass SPF Alignment.
To Pass SPF Alignment:
- Log in to your Microsoft 365 Admin center
- Click Settings, then click Domains
- Click +Add Domain
- Input your domain/subdomain
- Open a separate tab and log in to your DNS Hosting provider and select Add/Create.
- Copy the values provided by Microsoft (MX or TXT) and paste them into the new record
- Back on the Microsoft Domains page, click the Verify link
- Once the changes have propagated in DNS, you can safely delete this record from your DNS
TXT Record Example:
- TXT Name:
- TXT Value: MS=ms######## (unique ID from the Admin center)
- TTL: 3600
- Save the record, go back to the Admin center, then select Verify. It typically takes around 15 minutes for record changes to register, but sometimes it can take longer. Give it some time and a few tries to pick up the change.
MX Record Example:
- Record Type: MX
- Priority: Set to the highest value available, typically 0.
- Host Name: @
- Points to address: Copy the value from the Admin center and paste it here.
- TTL: 3600
DKIM Setup for Office 365
If you have not set up DKIM, Microsoft automatically uses its default signing domain (domain.onmicrosoft.com). After you properly set up DKIM, be sure to enable it with your domain and disable Microsoft's default signing domain. Otherwise, you will fail the DKIM alignment test.
To set up DKIM for Office 365, complete these steps:
- Publish two CNAME records for your custom domain at DNS host using the following format:
Host name: selector1._domainkey.<domain>
Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain>
TTL: 3600Host name: selector2._domainkey.<domain>
Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain>
TTL: 3600
- After publishing the CNAME records in DNS, follow these steps to enable DKIM signing through Microsoft 365:
- Open the Microsoft 365 Defender portal.
- Go to Email & collaboration > Policies & rules > Threat policies page > Rules section > DomainKeys Identified Mail (DKIM). Or, click this link.
- Select the domain by clicking its name.
- In the available details flyout page, change the Sign messages for this domain with DKIM signatures setting to Enabled.
- Repeat the above steps as needed for each custom domain.
- Run MxToolbox's DKIM Lookup tool.
- This tool performs a DKIM record test against a domain name and selector for a valid published DKIM key record.
Note: You can also use Exchange Online PowerShell to create DKIM keys. To enable DKIM signing for your custom domain via PowerShell.