🔒 Email Authentication Mastery

SPF • DKIM • DMARC Setup for Microsoft 365 — Stop Phishing Dead

How SPF, DKIM & DMARC Work Together

📋 SPF

Authorizes allowed mail servers (like Microsoft's) to send emails on your behalf.

v=spf1 include:spf.protection.outlook.com -all

Location: TXT record in YOUR DNS

🔏 DKIM

Signs emails with a cryptographic key — proves the email hasn't been tampered with.

Location: CNAME records in DNS + Enable in Defender

🛡️ DMARC

Policy engine that says: "If SPF or DKIM fail → quarantine or reject the email"

v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com; fo=1

Location: TXT record in YOUR DNS

🔑 ONE PLACE FOR RECORDS: Your DNS Provider
Microsoft gives you the values and enables DKIM signing — but the internet checks YOUR DNS to trust the emails.

Step-by-Step Setup

Option 1: First-Time Domain Add (Best Flow)

1
Add Domain in Microsoft Admin
Go to Settings → Domains → Add domain → Enter your domain name
Microsoft Admin Center
2
Enable Advanced DKIM
Check "Advanced options" → Enable DKIM during the setup wizard
Microsoft Admin
3
Copy DNS Records
Microsoft shows you MX, SPF TXT, and DKIM CNAMEs — copy all of them
Microsoft Admin
4
Paste into Your DNS Console
Add the TXT record for SPF, CNAME records for DKIM, etc.
Your DNS Provider
5
Enable DKIM Signing
Go to Defender → Threat policies → Email authentication → DKIM → Enable
Microsoft Defender
6
Add DMARC Policy
Build your policy at MXToolbox → Add TXT record at _dmarc.yourdomain
Your DNS Provider
7
Verify Everything
Use MXToolbox lookups to check → All should be green!
MXToolbox.com

Option 2: Domain Already Added (Fix Later)

1-4
Manage DNS → Add Missing Records
Follow the same steps 3-7 from Option 1 above
DNS + Defender

Quick Reference: Where Things Happen

🏢 Microsoft Admin

Add domain, get record values, start the setup wizard

🌐 Your DNS Provider

SPF TXT • DKIM CNAME • DMARC TXT

🛡️ Microsoft Defender

Enable DKIM signing toggle