How to Set Up SPF and DKIM for Outlook (Microsoft 365)

How to Set Up SPF and DKIM for Outlook (Microsoft 365)

Securing your email domain is essential to prevent spoofing, phishing, and ensuring email deliverability. Two key email authentication protocols—SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail)

This article walks you through the step-by-step setup of SPF and DKIM for Outlook (Microsoft 365).

Set Up SPF for Microsoft 365

Steps to Set Up SPF:

SPF tells receiving email servers which mail servers are allowed to send emails on behalf of your domain.

Step 1: Log in to your domain DNS provider

Examples: GoDaddy, Namecheap, Cloudflare, etc.

Step 2: Create or Update Your SPF TXT Record

You need to add the following TXT record:

Type Name/Host Value
TXT              @ or yourdomain.com           v=spf1 include:spf.protection.outlook.com -all

🔍 If you already have an SPF record, merge Microsoft’s include:
E.g., v=spf1 include:spf.protection.outlook.com include:_spf.google.com -all

Step 3: Save and Propagate

  • Save the record.

  • It may take up to 24-48 hours to propagate.

Set Up DKIM for Microsoft 365

Steps to Set Up DKIM:

DKIM signs outgoing messages with a private key. The recipient’s server uses a public key (published in your DNS) to verify the message integrity and source.

Step 1: Log into Microsoft 365 Admin Center

Go to: https://admin.microsoft.com
You need Global Administrator permissions.

Step 2: Navigate to Microsoft Defender Portal

Go to: Microsoft Defender > Email & Collaboration > Policies & Rules > Threat Policies > DKIM

Shortcut: https://security.microsoft.com/dkimv2

Step 3: Select Your Domain

Click on your domain from the list.

Step 4: Copy the CNAME DKIM Records

Microsoft will show you two CNAME records to publish:

  • Example:

    • selector1._domainkey.yourdomain.com → selector1-yourdomain-com._domainkey.yourinitialdomain.onmicrosoft.com

    • selector2._domainkey.yourdomain.com → selector2-yourdomain-com._domainkey.yourinitialdomain.onmicrosoft.com

Step 5: Add CNAME Records to Your DNS

In your DNS provider’s portal, add:

Type Name Value
CNAME              selector1._domainkey              selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
CNAME              selector2._domainkey              selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Note: Replace yourdomain-com and yourtenant with actual values shown in Defender.

Step 6: Enable DKIM Signing

After DNS records propagate (1–48 hours), go back to Microsoft Defender DKIM settings:

  • Click on your domain

  • Click “Enable”

Testing Your Setup

You can test SPF, DKIM, and DMARC using TDMARC tool feature Email Analyzer by dropping an email on the respective email ID


Conclusion

Setting up SPF and DKIM for Outlook (Microsoft 365) is essential for protecting your domain and improving email deliverability. This guide ensures you're authenticated and ready to combat spoofing and phishing.

    • Related Articles

    • How Is DMARC Records Different From SPF And DKIM?

      SPF or Sender Policy Framework is a DNS text record that contains a list of servers (users) that should be considered authorized or allowed to send an email on the behalf of that specific domain. Incidentally, the fact that SPF is a DNS entry can ...

    • How to Set Up DKIM for Shopify?

      DKIM is a technical standard that aids email senders and recipients from common threats like phishing, spoofing, and spam. It helps you in assigning a private key to your outgoing emails which is used by receiving MTAs to verify the legitimacy of ...

    • What Is DKIM?

      DKIM stands for Domain keys identified mail which is an email authentication technique that generates a digital signature in the header. This digital signature is added within the message or body of the email and is secured with encryption. DKIM ...

    • How to Configure SPF?

      Sender Policy Framework (SPF) is an email authentication technique used for mitigating cyber threats by helping the user detect email forging and spoofing. Email servers use the Return-Path to get an SPF Record, whenever a user receives an email. A ...

    • Can We Setup DMARC Using SPF?

      Yes, you can set up DMARC without DKIM and even if you only have DMARC and SPF setup. In cases where the DKIM check fails, DMARC authentication is dependent on the SPF check and SPF identifier alignment, which works but is not that optimal. DMARC ...