DMARC setup · Microsoft 365

    How to set up DMARC for Microsoft 365

    Microsoft 365 (Exchange Online) is the other major business mail platform. DKIM in Microsoft 365 uses two CNAMEs that point at Microsoft-hosted keys — different from Google's single-record approach.

    DMARC (RFC 7489) tells receiving mail servers what to do when a message claiming to be from your domain fails SPF or DKIM. You publish exactly one DMARC record at `_dmarc.<your-domain>`, regardless of which ESP you use — DMARC is a domain-level policy, not a per-sender configuration. Microsoft 365 doesn't run DMARC for you, but their SPF + DKIM setup is what makes your DMARC checks pass.

    Start every domain at `p=none` with a `rua` (aggregate report) address pointing somewhere you actually read. Watch the reports for two to four weeks to confirm 100% of legitimate mail is aligned, then progress to `p=quarantine` and finally `p=reject`. Skipping the monitoring step is the single most common way founders accidentally block their own mail.

    Publish these DNS records

    Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

    Type
    TXT
    Host
    _dmarc
    Value
    v=DMARC1; p=none; rua=mailto:[email protected]
    • Microsoft's default DKIM uses relaxed alignment, which works with the default `adkim=r`. Don't tighten to strict unless you've confirmed every legitimate sender aligns.
    • Microsoft 365 publishes its own aggregate reports as the receiver — your `rua` address will receive both inbound (Microsoft as receiver, reporting on mail TO you) and outbound (third parties reporting on mail FROM you) reports.

    Where in Microsoft 365

    The DMARC configuration lives in Microsoft 365 Defender → Policies & rules → Threat policies → Email authentication settings.

    Verify the records

    Once published, run the DMARC Checker on your apex domain to confirm the record parses, reporting URIs are valid, and the policy is what you intended.

    From a terminal
    dig +short TXT _dmarc.your-domain.com
    → Run the free DMARC checker

    Common pitfalls

    • Forgetting to enable DKIM signing in the Defender portal after publishing the CNAMEs is the single most common Microsoft 365 setup error.
    • Older Microsoft documentation references `selector1` only — both `selector1` and `selector2` are required as of 2023.
    • If you use Microsoft 365 as your inbound mail (MX) and a separate ESP for marketing, the SPF record above is for outbound through Microsoft only. Marketing mail needs its own `include:` merged in.

    Want to know if it actually keeps working?

    MailerMonk continuously watches your DMARC record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.