Updating SPF, DKIM, DMARC records for Office 365 Tenant

We recommend you to first update the SPF and DKIM record for your domain and finally add DMARC record by following the steps below


NOTE: SPF and DKIM must be configured first to implement DMARC feature

I. For Adding SPF Record :

  • To authorize Microsoft Office 365 to send emails on your behalf you will have to add them to your SPF record:  "include:spf.protection.outlook.com". with TTL value "3600" and Host Name as "@"
  • For detail information please visit this link

II. For Adding DKIM Record :

In order to DKIM sign your custom domain emails you will need to complete the following steps:

  1. Create and publish two CNAME records for your custom domain in your public DNS
  2. Enable DKIM signing 

1. Creating the CNAME records:

The CNAME records are used to map an alias name to the true or canonical domain name. In essence when you provision a new domain name in Office 365 you will need to create two CNAME records for it so that it points to your initial domain. Here is an example:

We will use example.onmicrosoft.com as our initial domain, also called the tenant domain. But we actually own example.com and after we provision it in Office 365 we need to publish the two CNAME records so that example.com points to example.onmicrosoft.com using the format below.

Host name: selector1._domainkey.<domain>
Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain>
TTL: 3600

Host name:selector2._domainkey.<domain>
Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain>
TTL: 3600

In our example the CNAME records will look like this:

Host name:selector1._domainkey.example.com
Points to address or value: selector1-example-com._domainkey.example.onmicrosoft.com
TTL: 3600

Host name:selector2._domainkey.example.com
Points to address or value: selector2-example-com._domainkey.example.onmicrosoft.com
TTL: 3600

Please pay close attention to the domainGUID which does not use a full stop "." but a dash "-" instead. This is taken from the MX record of your custom domain, in this case example.com

The reason behind the two CNAME records is because Microsoft rotates the two keys for added security.

Enabling DKIM signing

Once you have added the CNAME records (two per domain) DKIM signing can be enabled through the Office 365 admin center

1. Log on to portal.office.com with Admin credentials.

2. Select "Exchange Admin " Under Admin Centers" 

3. Select "dkim" under "Protection" in Exchange Admin center.

4. Select your domain under "dkim" and Hit enable once you add Two CNAME Records 

Note: It may take up to 48 hours for DNS changes to fully propagate.

For detail information please visit this link

III. For Adding DMARC Record :

Earlier steps SPF and DKIM implemented increases reputation of our outbound mails. 

But to prevent mails getting delivered on gmail forging 'From' address of our domain we can set DMARC record. 

Before you update DMARC consider to check SPF and DKIM is updated successfully, else it may not work.  

To implement DMARC record for YourDomain,  please create the below TXT record in your DNS C-Panel:

"v=DMARC1; p=none; rua=mailto:admin@yourdomain.com;  fo=1"


Know more about DMARC visit this link