Set up SPF, DKIM and DMARC on Microsoft 365

If your business uses Microsoft 365 for email, here is how to enable the three anti-spoofing protections, step by step.

1. SPF — allow Microsoft's servers

In your DNS zone, add (or complete) a TXT record on your domain:

v=spf1 include:spf.protection.outlook.com -all

If you also send email through other services (newsletter, CRM), add their "include" entries before the -all.

2. DKIM — sign your emails

In the Microsoft Defender portal (security.microsoft.com) → Email & collaboration → Policies & rules → DKIM. Select your domain, then enable DKIM. Microsoft gives you two CNAME records (selector1._domainkey and selector2._domainkey) to add to your DNS, then you turn on signing.

3. DMARC — block spoofers

Add a TXT record on _dmarc.yourdomain.com. Start in monitoring mode:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

After a few weeks with no issues, move to p=quarantine, then p=reject for maximum protection.

Check your setup for free

Enter your domain: we test your SPF, DKIM, DMARC and website, and give you the exact action plan.

Run the free check
See also: the SPF, DKIM, DMARC guide, Microsoft 365, Google Workspace, securing your website.