Chat +1-888-563-5277 [email protected]

Microsoft 365 SPF and DKIM Configuration: step by step

Our informative post will help you find out how you can setup Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures on your Microsoft 365 email to eliminate spam from your domain and increase security.

Microsoft requires you to configure the following DNS records for your domain: Microsoft 365 SPF and DKIM.

SPF records allow receiving servers to check whether an email with the specified source domain was actually sent from a server authorized by the owner of this domain.

DKIM adds a digital signature to each message. This allows the receiving server to check if the message has been sent from an authorized sender, faked or changed upon delivery.

Setting up an SPF Record

In order to authorize Microsoft 365 to send emails on your domain behalf, you will need to create or update your SPF Record which includes the following mechanism: 

You can achieve this easily with our SPF Record Generator tool; here are the steps:

  1. Generate a new SPF Record with authorizing Microsoft 365


2. Copy the newly generated SPF Record

3. Update your DNS TXT Record for SPF at your domain provider (We will show examples with GoDaddy and Cloudflare)

E.g GoDaddy


E.g Cloudflare


4. Click Save

Important Note: Make sure you don’t create multiple SPF TXT records on one domain. If you do, SPF will return a PermError.

If you are using multiple IPs, ESPs, Third-Party services for your various email strategies, you should include them in a single SPF Record.

E.g v=spf1 ip4: ~all

Configuring DKIM for Microsoft 365

  1. Choose Admin from your Office365 portal


2. In the Admin Center, choose ‘Exchange’

3. Go to protection -> DKIM


4. Create CNAME Records

Host name: selector1._domainkey

Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain>

TTL: 3600

Host name: selector2._domainkey

Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain>

TTL:  3600

Important Notes:

  • <domainGUID> is in the MX record for your custom domain that appears before For example, in the following MX record for the domain, the domainGUID is company-com: 3600 IN MX 0

  • <initialDomain> is the domain that you used when you signed up for Microsoft 365. Initial domains always end in

For example, if you have an initial domain of, and a custom domain “”, you will need to add CNAME Records as:

Host name: selector1._domainkey

Points to address or value:

TTL: 3600


Host name: selector2._domainkey

Points to address or value:

TTL:  3600

5. Add CNAME Records in your DNS Zone

6. Select the domain that you want to authenticate, and click Enable


7. After successful implementation, you should see:


Congrats, you now successfully authenticated your outgoing mail stream from Office365 with SPF and DKIM. 

Business email compromise (BEC) - 2021 Cybersecurity Problem

Security analysis and predictions for 2021 show that there will be dramatic increases in the number of phishing attacks against cloud-based email. Risk management and security leaders must ensure their solutions stay up-to-date for this changing landscape to protect against cyber attacks. EasyDMARC stays...

Read More

How to explain DKIM in plain English?

DKIM allows the recipient server to make sure (or to verify) that the received message was sent by the genuine sender of the associated domain and that content of the original message was not altered on its way. So let's figure out how to...

Read More

No SPF Record Found: how to fix SPF record issues?

What is an SPF Record? This is a special DNS TXT Record. It lists the IP addresses from which you can send emails on behalf of the domain. How to set up an SPF Record and what happens if there is “No SPF Record...

Read More