Introduction
A practical setup guide for getting DMARC running on a Microsoft 365 tenant — applicable for the tenant admin running a single-domain rollout. Companion to the MSP-focused version.
SPF setup
Standard tenant SPF:
“text v=spf1 include:spf.protection.outlook.com -all “
If you have additional senders (marketing, transactional), add include: for each, watching the 10-lookup limit.
Publish at the apex domain as TXT.
DKIM setup
- Microsoft 365 admin → Security → Threat policies → Email authentication → DKIM.
- Select your domain, click "Create DKIM keys."
- Microsoft generates CNAME records for selector1 and selector2.
- Publish CNAMEs at the indicated names.
- Wait 30 min, enable signing.
DMARC setup
Publish at _dmarc.yourdomain.com:
“text v=DMARC1; p=none; rua=mailto:[email protected] “
Start at p=none; advance through the rollout phases.
Step-by-step approach
- Audit current state.
- SPF, DKIM, DMARC in order.
- Monitor for 2-4 weeks.
- Identify additional senders.
- Move to enforcement.
Best practices
- Use both DKIM selectors — Microsoft requires for rotation.
- Watch SPF lookups when adding marketing/transactional senders.
- Pair with MTA-STS for transport.
- Configure Defender for inbound enforcement.
- Document the runbook.
Recommended next step
For M365 tenants without DMARC, the setup is 1-2 hours. Start with SPF and DKIM in the admin center.
FAQ
How long does Microsoft DKIM setup take?
30 minutes for the records; up to 30 minutes additional propagation.
Does this work for E5 vs. E3?
Same setup; the underlying DKIM mechanism is part of EOP.
What about hybrid Exchange?
Hybrid adds complexity; route through Exchange Online for clean signing.
Can I use third-party DMARC platform?
Yes — point rua= to any platform.
What about M365 GCC / GCC High?
Similar setup; configuration paths differ slightly.
Final thoughts
M365 DMARC is one of the easiest enterprise setups. Microsoft handles most of the underlying authentication; configure once and monitor.