Introduction
Most MSP client tenants run Microsoft 365. Implementing DMARC for these clients follows the standard rollout but with M365-specific configuration steps. This article is the implementation guide.
Why this topic matters
Microsoft 365 makes most of the underlying authentication work simple — DKIM and SPF are configured in the admin center, not on a mail server. The MSP's value is in the rollout discipline and ongoing monitoring, not the technical setup.
The Microsoft 365 SPF baseline
Microsoft 365 publishes a standard SPF: v=spf1 include:spf.protection.outlook.com -all.
For tenants sending only through M365, that's the whole record. For tenants with additional senders (SaaS marketing, CRM), include: each sender's SPF, watching the 10-lookup limit.
Configuring DKIM in Microsoft 365
- Microsoft 365 Admin Center → Security → Threat policies → Email authentication settings → DKIM.
- Select the domain and click "Generate DKIM keys."
- Microsoft generates two selectors (
selector1,selector2) and provides CNAME records to add to DNS. - Publish the CNAMEs at
selector1._domainkeyandselector2._domainkey. - Wait for DNS propagation (5-30 minutes).
- Enable signing in the admin center.
The two selectors enable zero-downtime rotation — Microsoft rotates between them.
Publishing DMARC
A standard starting record:
“text v=DMARC1; p=none; rua=mailto:[email protected] “
Published at _dmarc.yourdomain.com. Move through the policy phases over 8-12 weeks.
Step-by-step approach for the rollout
- Audit current authentication. SPF, DKIM, DMARC current state.
- Enable Microsoft 365 DKIM if not already.
- Identify other senders. Marketing platforms, CRM, transactional services.
- Configure custom DKIM at each non-M365 sender.
- Publish DMARC at
p=nonewith reporting. - Monitor for 2-4 weeks.
- Move through quarantine to reject.
Microsoft 365-specific gotchas
- Default DKIM selectors are CNAMEs. Some DNS providers struggle with CNAME at underscore-prefixed names. Test before relying.
- Connectors and hybrid setups. Tenants with on-prem Exchange or third-party connectors need additional SPF inclusions.
- External senders signing as the domain. Watch for marketing or CRM platforms; each needs custom DKIM.
P=nonetop=rejectis straightforward for pure-M365 tenants. Complexity scales with sender count.
Best practices
- Test DKIM after enabling. Send a message to a Gmail account; verify
dkim=passand signing domain alignment. - Watch the SPF lookup count. M365 alone uses 3-4 lookups; budget the rest.
- Document custom selectors. When the marketing team adds Mailchimp, the DKIM selector goes in the runbook.
- Set up Microsoft 365 alerts for authentication issues.
- Pair with MTA-STS for transport security.
Recommended next step
For new M365 client tenants, add DMARC to the onboarding checklist. For existing tenants, audit and queue the rollout.
FAQ
Does Microsoft 365 sign all mail with DKIM by default?
Only if you've enabled it. Default is unsigned. Enable in the admin center.
What's the DKIM selector format?
selector1._domainkey.yourdomain.com and selector2._domainkey.yourdomain.com, CNAMing to Microsoft-provided targets.
Can I use a single DKIM selector instead of two?
No. M365 requires both for rotation.
What if the client uses a third-party MX with M365?
The SPF needs to include both. DKIM still works through M365 for outbound; the third-party handles inbound.
Does this work for Exchange Online Protection only?
Yes. Same authentication mechanics apply.
Final thoughts
DMARC for Microsoft 365 clients is one of the cleanest MSP engagements. The platform handles most of the heavy lifting; the MSP value is the rollout discipline and ongoing monitoring.
Standard playbook, predictable timeline, recurring revenue. The economics work.