How do you set up DMARC on Microsoft 365?
Updated July 3, 2026
To set up DMARC for Microsoft 365, first confirm your SPF record includes spf.protection.outlook.com and enable DKIM in the Microsoft Defender portal (which requires two CNAME records, selector1 and selector2, at your DNS host), then add a TXT record named _dmarc with a value starting with v=DMARC1. The DMARC record itself is published at your DNS host, not inside Microsoft 365.
What you need before starting
- ✓Admin access to your Microsoft 365 tenant (Global admin or Security admin for the Defender portal)
- ✓Access to your domain's DNS host (SPF, the DKIM CNAMEs, and DMARC are all published there)
- ✓A DMARC record value (generate one with our free DMARC generator if you don't have one yet)
Step by step
- 1
Check your SPF record
Your domain needs one TXT record at the root containing include:spf.protection.outlook.com. Microsoft 365's standard value is v=spf1 include:spf.protection.outlook.com -all. Confirm it exists at your DNS host (the Microsoft 365 admin center → Settings → Domains → your domain → DNS records page lists the expected value) and keep all senders in a single SPF record.
- 2
Open DKIM settings in the Defender portal
Go to security.microsoft.com and navigate to Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM. Select your domain. If signing isn't enabled yet, Microsoft shows the two CNAME records you need.
- 3
Publish the two DKIM CNAMEs and enable signing
At your DNS host, add CNAME records for selector1._domainkey and selector2._domainkey pointing to selector1-<yourdomain>._domainkey.<tenant>.onmicrosoft.com and the matching selector2 value shown in the portal. Once they resolve, return to the DKIM page and switch Sign messages for this domain to Enabled.
- 4
Add the DMARC record at your DNS host
At your DNS host, add a TXT record with host _dmarc (most hosts append your domain automatically; if yours expects a fully qualified name, use _dmarc.yourdomain.com) and paste the DMARC value.
Host _dmarcType TXTv=DMARC1; p=none; rua=mailto:[email protected]; fo=1
- 5
Send a test email
Send a message from your Microsoft 365 mailbox to a Gmail address and use Gmail's Show original to confirm SPF, DKIM, and DMARC all show PASS.
- 6
Verify it's live
Run your domain through our free DMARC checker. If the record shows up and parses cleanly, you're done. The first aggregate reports typically arrive within 24-48 hours.
Check that it worked
Our free checker reads your domain's DMARC record live and explains every tag. Run it after the record saves.
Open the DMARC checker →Common mistakes
Enabling the DKIM toggle before the CNAMEs resolve
The Defender portal shows an error if selector1 and selector2 aren't published yet. Add both CNAMEs at your DNS host first, wait for them to resolve, then flip the toggle.
Adding the DKIM records as TXT instead of CNAME
Microsoft hosts the actual keys and rotates them for you; your records are CNAMEs pointing at Microsoft's copies. Pasting key material into TXT records at selector1._domainkey breaks rotation and verification.
Relying on the default onmicrosoft.com DKIM signature
Until you enable DKIM for your own domain, Microsoft signs with its onmicrosoft.com domain, which doesn't align with your From address. DMARC needs an aligned pass, so enable DKIM for your custom domain.
Frequently asked questions
- Where do I add the DMARC record, in Microsoft 365 or at my DNS host?
- At your DNS host. Microsoft 365 has no field for your DMARC policy; the Defender portal only manages DKIM signing. The _dmarc TXT record is published wherever your domain's DNS lives.
- What are selector1 and selector2?
- They are the two DKIM selectors Microsoft 365 uses so it can rotate signing keys without you touching DNS again. Both CNAMEs must exist even though only one is active at a time.
- Do I need DMARC on my onmicrosoft.com domain too?
- Microsoft manages authentication for the onmicrosoft.com fallback domain. Your DMARC record covers your custom domain, which is what customers see and what spoofers target.
The record is step one. The reports are the point
Publishing p=none starts a stream of XML reports about everyone sending as your domain. DMARCPath turns them into a plain-English dashboard and walks you to full protection at p=reject. One domain free.
Monitor this domain free →