Skip to main content
New AI-powered DMARC analysis + open REST API See how →
Foundational 8 min read

DMARC for Office 365: Complete Setup Guide (2026)

Brad Slavin
Brad Slavin CEO
Updated April 14, 2026 | Updated for 2026

Quick Answer

To set up DMARC for Office 365: (1) configure SPF with include:spf.protection.outlook.com, (2) enable DKIM signing in the Microsoft 365 Defender admin center, (3) publish a DMARC TXT record at dmarc.yourdomain.com, (4) start monitoring aggregate rep

Related: Free DMARC Checker

Share
DMARC for Office 365: Complete Setup Guide (2026)

Try Our Free DMARC Checker

Validate your DMARC policy, check alignment settings, and verify reporting configuration.

Check DMARC Record →

**To set up DMARC for Microsoft 365 (Office 365), you need three DNS records: an SPF record with include:spf.protection.outlook.com, DKIM signing enabled via the Microsoft 365 Defender admin center, and a DMARC TXT record at _dmarc.yourdomain.com. Microsoft began enforcing DMARC for bulk senders in May 2025, following Google and Yahoo’s February 2024 mandate.

Per RFC 7489, DMARC requires SPF or DKIM to pass AND align with the From domain. Microsoft 365 supports both, but DKIM must be explicitly enabled — it’s not on by default for custom domains.

Step 1: Configure SPF for Office 365

Your SPF record must include Microsoft’s sending IPs:

yourdomain.com. IN TXT "v=spf1 include:spf.protection.outlook.com -all"

If you also send from other services (SendGrid, Mailchimp, etc.), chain the includes:

yourdomain.com. IN TXT "v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all"

Check your SPF record →

Step 2: Enable DKIM for Office 365

  1. Go to Microsoft 365 DefenderEmail & collaborationPolicies & rulesThreat policies → **DKIM 2. Select your domain
  2. Click **Enable to start DKIM signing
  3. If prompted, add the CNAME records Microsoft provides to your DNS

Microsoft generates two DKIM selectors (selector1._domainkey and selector2._domainkey) that point at Microsoft’s key infrastructure.

Verify your DKIM selectors →

Step 3: Publish Your DMARC Record

Add a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Use our DMARC Record Generator to build the record with custom settings.

Step 4: Monitor Reports

Point your rua= address at DMARC Report to automatically parse and visualize the aggregate reports Microsoft and other receivers send you.

Office 365 DMARC setup trips up most IT teams on the DKIM step — it’s not enabled by default for custom domains, and the Microsoft admin console buries it three levels deep, says Brad Slavin, CEO of DuoCircle. Once SPF + DKIM + DMARC are all in place, use DMARC Report to verify everything aligns before enforcing.

Check your DMARC record → Start monitoring with DMARC Report →

Topics

DMARC email security
Brad Slavin
Brad Slavin

CEO

Founder and CEO of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.

LinkedIn Profile →

Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free — no credit card required.

Start Free Trial Check Your DMARC Record

Related Articles

Foundational 8m

10 Critical Learnings From Verizon’s 2021 DBIR — A DMARCReport Perspective

Foundational 12m

10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast

Foundational 12m

10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection

Foundational 12m

10 Reasons SPF Filtering Is Critical For Email Security