---
title: "Definitive Guide to Microsoft 365 SPF & DKIM Configuration | AutoSPF"
description: "At AutoSPF, our mission is simple: help organizations optimize email deliverability and security with the right sender authentication setup."
image: "https://autospf.com/og/blog/definitive-guide-to-microsoft-365-spf-dkim-configuration.png"
canonical: "https://autospf.com/blog/definitive-guide-to-microsoft-365-spf-dkim-configuration/"
---

Quick Answer

At AutoSPF, our mission is simple: help organizations optimize email deliverability and security with the right sender authentication setup. In this comprehensive guide, we’ll walk you through step-by-step how to configure SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for your Microsoft 365 environment.

## Try Our Free DKIM Lookup

Auto-discover DKIM selectors for any domain.

[ Discover DKIM Selectors → ](/tools/dkim-lookup/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fdefinitive-guide-to-microsoft-365-spf-dkim-configuration%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Definitive%20Guide%20to%20Microsoft%20365%20SPF%20%26%20DKIM%20Configuration&url=https%3A%2F%2Fautospf.com%2Fblog%2Fdefinitive-guide-to-microsoft-365-spf-dkim-configuration%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fdefinitive-guide-to-microsoft-365-spf-dkim-configuration%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fdefinitive-guide-to-microsoft-365-spf-dkim-configuration%2F&title=Definitive%20Guide%20to%20Microsoft%20365%20SPF%20%26%20DKIM%20Configuration "Share on Reddit") [ ](mailto:?subject=Definitive%20Guide%20to%20Microsoft%20365%20SPF%20%26%20DKIM%20Configuration&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fdefinitive-guide-to-microsoft-365-spf-dkim-configuration%2F "Share via Email") 

![SPF & DKIM Configuration](https://media.mailhop.org/autospf/images/2025/12/multiple-spf-records-0744.jpg) 

At [AutoSPF](/), our mission is simple: help organizations optimize email deliverability and security with the right sender authentication setup. In this comprehensive guide, we’ll walk you through step-by-step how to configure SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for your Microsoft 365 environment.

_Microsoft 365’s SPF include (`include:spf.protection.outlook.com`) chains to multiple nested records and typically consumes 2-3 of the 10 DNS lookups allowed by [RFC 7208 §4.6.4](https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4). Adding other senders alongside Microsoft requires careful lookup budgeting._

Whether you’re new to SPF/DKIM, a seasoned admin, or somewhere in between, this post will give you both _why_ and _how_ \- not just checklists - so you can confidently strengthen your email authentication posture and reduce fraud, [spoofing, and spam](https://www.scworld.com/brief/fbi-us-officials-spoofed-in-ongoing-voice-sms-phishing-campaign).

## Why SPF & DKIM Matter for Microsoft 365

Before jumping into configuration steps, let’s make sure we understand _what_ SPF and DKIM do - and _why_ they’re critical for Microsoft 365 mail.

### SPF: Telling the World Who Can Send for Your Domain

SPF is a [DNS TXT record](https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/) that lists all mail servers authorized to send email on behalf of your domain. When a receiving email system checks SPF, it verifies that the sending server’s IP or domain is included in your [SPF record](/blog/what-spf-records-are-and-how-they-protect-email-domains/).

- If the sending IP is listed, SPF passes.
- If not, SPF fails - and the receiving server may reject or flag the email as spam.

Without SPF properly set up, your legitimate Microsoft 365 messages might fail authentication checks and get blocked or [spam-filtered](https://www.fortinet.com/resources/cyberglossary/spam-filters) \- hurting deliverability and brand trust. 

### DKIM: Cryptographic Signing for Message Integrity

DKIM works differently. Instead of a TXT record listing senders, DKIM uses [public key](https://www.investopedia.com/terms/p/public-key.asp) cryptography to cryptographically sign emails.

- Microsoft 365 generates [private keys](https://www.techtarget.com/searchsecurity/definition/private-key) used by its mail servers.
- You publish corresponding public keys in DNS as CNAME records.
- Receiving servers check the [DKIM signature](https://docs.mapp.com/docs/dkim-signature) against your public key.

_If the signature matches, the message is verified as authentic and hasn’t been tampered with in transit._ This is especially important for defending against sophisticated phishing and domain spoofing.

![Cryptographic Signing for Message Integrity](https://media.mailhop.org/autospf/images/2025/12/kitterman-spf-0997.jpg) 

When both SPF and DKIM are properly in place, Microsoft 365 mail has a much stronger standing in modern authentication flows like DMARC - significantly improving deliverability and trust.

## Part 1: Configuring SPF for Microsoft 365

### Step 1 - Understand Your Domain’s Email Sources

The first thing you must do before making changes is inventory all email sources that send mail using your domain:

✔ Microsoft 365 ✔ CRM tools ✔ Marketing automation platforms ✔ Transactional email services ✔ Legacy mail systems

Every service that sends email on your domain’s behalf must be included in your SPF record - otherwise, SPF checks can fail. 

### Step 2 - Build a Correct SPF Record

A basic SPF record for Microsoft 365 includes the Outlook protection servers:

```
v=spf1 include:spf.protection.outlook.com ~all
```

Let’s break this down:

- v=spf1 - SPF versio
- include:spf.protection.outlook.com - authorizes Microsoft 365 mail
- \~all - soft fail for other sources not listed

Use \~all (soft fail) during rollout to avoid legitimate mail being rejected while you verify everything. Once you’re confident everything is covered, you can change to -all (hard fail). 

### Step 3 - Add All Other Mail Services

If other platforms send mail on behalf of your domain, they _must_ be included in the same SPF TXT record - _do not create multiple SPF records_ or [SPF lookups](/blog/what-is-an-spf-lookup-and-why-it-matters/) will fail (resulting in a PermError).

A combined SPF record might look like:

```
v=spf1 include:spf.protection.outlook.com include:mailgun.org include:sendgrid.net ~all
```

💡 Tip: Keep your SPF record under the DNS lookup limit (10 includes) to avoid failures.

### Step 4 - Publish the SPF Record in DNS

1. Go to your DNS provider dashboard.
2. Create or edit a TXT record for the domain with:
- Name/Host = @ (or blank based on provider)
- Value = your SPF string
1. Save and wait for propagation (most DNS updates complete within a few hours, though 48 hours is typical).
![Email phishing](https://media.mailhop.org/autospf/images/2025/12/spf-record-syntax-0665.jpg) 

### Step 5 - Monitor and Validate SPF

You can test your SPF record using tools like _AutoSPF’s SPF Validator_, MXToolbox, or DNS reporting tools to confirm it passes checks and includes all expected senders.

## Part 2: Configuring DKIM for Microsoft 365

### Step 1 - Access the Microsoft 365 DKIM Page

1. Sign in to your Microsoft 365 Admin or Microsoft Defender portal.
2. Search for “[DKIM](/blog/how-dkim-works-a-comprehensive-guide-to-email-authentication/)” or go directly to the DKIM configuration page.

From here, Microsoft will show you a _Prepare DKIM_ interface where you can enable DKIM for your domains and generate DNS records.

### Step 2 - Enable DKIM and Retrieve CNAMEs

When you click to Enable DKIM, Microsoft 365 will generate two selector records.

These look like:

selector1.\_domainkey.yourdomain.com

selector2.\_domainkey.yourdomain.com

And they point to corresponding Microsoft 365 hosted DKIM endpoints, unique to your tenant. 

### Step 3 - Add DKIM CNAME Records to DNS

In your DNS provider:

1. Add a CNAME record:
- Host: selector1.\_domainkey
- Points to: selector1-yourdomain-dkim-value provided by Microsoft
1. Add a second CNAME for selector2:
- Host: selector2.\_domainkey
- Points to: selector2-yourdomain-dkim-value provided by Microsoft

These CNAME entries allow Microsoft to serve your DKIM public keys from their infrastructure.

### Step 4 - Enable Signing in Microsoft 365

After adding and saving both [CNAME records](https://www.bigrock.in/blog/how-tos/learning-and-resources/understanding-the-role-of-cname-records-in-dns):

1. Return to the Microsoft Defender DKIM dashboard.
2. Click Enable again.
3. If DNS has propagated and both records resolve correctly, DKIM will activate successfully.
![Configuring DKIM for Microsoft 365](https://media.mailhop.org/autospf/images/2025/12/spf-record-tester-5224.jpg) 

You should see active status (often with a green check) for both selectors.

## How Do You Troubleshoot DKIM Issues?

✔ DNS records not resolving?

- DNS propagation may still be in progress (up to 48 hours).

✔ DKIM still not active after time?

- Verify there are no typos in the CNAME host or target records.

✔ Emails without DKIM signatures?

- DKIM signing must be toggled _on_ in Microsoft Defender - not just published in DNS.

## Optional: DMARC for Full Protection (Recommended)

While the focus here is SPF & DKIM, DMARC ties them together and tells receiving servers what to _do_ if a message fails your SPF/DKIM checks.

A basic DMARC TXT record looks like:

```
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
```

Start with p=none so you can monitor failures before enforcing stricter policies. Once you confirm everything is working, you can move to quarantine or reject. 

## What Are Common Microsoft 365 SPF Mistakes We See at AutoSPF?

Even organizations that believe they’ve “set SPF correctly” often run into hidden issues. At AutoSPF, we routinely audit Microsoft 365 domains and uncover problems that quietly damage deliverability.

### 1\. Multiple SPF Records (The Silent Killer)

One of the most common SPF misconfigurations is publishing more than one SPF TXT record for the same domain. DNS will allow it - but SPF validation will not.

When a receiving server sees multiple SPF records, it returns a PermError, which is treated as a failure. This can cause legitimate Microsoft 365 messages to land in spam or be rejected outright.

✔ Always consolidate all sending services into a single SPF record✔ Never publish separate SPF records for different tools

AutoSPF strongly recommends auditing DNS regularly to ensure only one SPF record exists.

![DMARC for Full Protection](https://media.mailhop.org/autospf/images/2025/12/spf-validator-2235.jpg) 

### 2\. Exceeding the SPF 10-Lookup Limit

SPF has a strict limit of 10 DNS lookups during evaluation. Each include, a, mx, or redirect mechanism can count toward this total.

Microsoft 365’s include alone consumes multiple lookups. Add a few marketing platforms, [CRMs](https://www.coursera.org/articles/what-is-a-crm), or transactional services - and suddenly SPF breaks.

When the lookup limit is exceeded:

- SPF returns a PermError
- Authentication fails
- DMARC alignment can fail too

This is where SPF flattening or automation becomes critical for scaling email programs without breaking deliverability.

### 3\. Using -all Too Early

While -all (hard fail) is best practice long-term, using it too early can block legitimate email.

If you’re still:

- Adding new tools
- Unsure of all senders
- Migrating to Microsoft 365

Start with \~all, monitor authentication results, and only move to -all once you’re confident everything is authorized.

## Topics

[ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ SPF ](/tags/spf/)[ SPF record ](/tags/spf-record/) 

![Vishal Lamba](https://media.mailhop.org/autospf/images/authors/vishal-lamba.jpg) 

[ Vishal Lamba ](/authors/vishal-lamba/) 

Content Specialist

Content Specialist at AutoSPF. Writes vendor-specific SPF configuration guides and troubleshooting walkthroughs.

[LinkedIn Profile →](https://www.linkedin.com/in/vishal-lamba/) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Intermediate 3m  3 points to consider before setting your SPF record to -all (HardFail)  May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[  Intermediate 6m  6 Best practices for maintaining an SPF record  Jun 5, 2025 ](/blog/6-best-practices-for-maintaining-an-spf-record/)[  Intermediate 3m  Adding your SPF record to your domain provider  Sep 2, 2024 ](/blog/adding-your-spf-record-to-your-domain-provider/)[  Intermediate 5m  Are Your SPF and DKIM Identifiers Aligned?  Jul 18, 2024 ](/blog/are-your-spf-and-dkim-identifiers-aligned/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Definitive Guide to Microsoft 365 SPF & DKIM Configuration","description":"At AutoSPF, our mission is simple: help organizations optimize email deliverability and security with the right sender authentication setup.","url":"https://autospf.com/blog/definitive-guide-to-microsoft-365-spf-dkim-configuration/","datePublished":"2025-12-24T17:12:49.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2025-12-24T17:12:49.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/vishal-lamba/#person","name":"Vishal Lamba","url":"https://autospf.com/authors/vishal-lamba/","jobTitle":"Content Specialist","description":"Vishal Lamba writes AutoSPF's how-to guides and vendor-specific configuration walkthroughs. His work focuses on step-by-step implementation guides for major email platforms (Google Workspace, Microsoft 365, SendGrid, Mimecast, Proofpoint, Brevo, and others), troubleshooting common SPF errors, and translating RFC-level specifications into practical deployment procedures for IT administrators.","image":"https://media.mailhop.org/autospf/images/authors/vishal-lamba.jpg","knowsAbout":["SPF Vendor Configuration","Email Platform Integrations","SPF Troubleshooting","Technical Documentation","Step-by-Step Guides"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/vishal-lamba/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/definitive-guide-to-microsoft-365-spf-dkim-configuration/"},"articleSection":"intermediate","keywords":"DKIM, DMARC, SPF, SPF record","wordCount":1322,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2025/12/multiple-spf-records-0744.jpg","caption":"SPF & DKIM Configuration","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Definitive Guide to Microsoft 365 SPF & DKIM Configuration","item":"https://autospf.com/blog/definitive-guide-to-microsoft-365-spf-dkim-configuration/"}]}
```