Setting up email authentication for Microsoft 365 / Outlook

Microsoft 365 handles DKIM for your mailbox traffic, but its defaults leave DMARC unset and other tools unaccounted for.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

The one-paragraph version

Include M365 in SPF: include:spf.protection.outlook.com. DKIM: enable selector1/selector2 CNAMEs in Defender portal.

The full checklist

Step 1. Complete domain authentication inside the service (see above) and paste the DNS records it generates.
Step 2. Make sure your SPF record includes this service — and count your lookups: the limit is 10 and every service adds some.
Step 3. Publish DMARC with p=none and a rua address, watch reports for a week, confirm this sender shows 100% pass.
Step 4. Only then tighten the policy — quarantine, then reject.

Frequently asked

Will this change break my current sending?

No. Adding SPF includes and DKIM records only adds authentication — it never blocks existing mail. The only risky step is tightening your DMARC policy, and that comes later, after reports confirm everything passes.

How do I know it worked?

Send yourself a test email and inspect the headers for spf=pass, dkim=pass and dmarc=pass — or just watch your DMARCKeeper dashboard: the sender's pass rate should hit 100% within a day or two.

Do I still need DMARC if SPF and DKIM are set up?

Yes. SPF and DKIM authenticate mail; DMARC is what tells receivers to BLOCK mail that fails, and it's the piece Gmail, Yahoo and Outlook now check for explicitly.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →