Set up SPF, DKIM, DMARC for a domain with Microsoft 365 mailboxes

Amplemarket Dev
Amplemarket Dev
  • Updated

SPF, DKIM and DMARC are email security protocols, that once set up, prove your emails are legitimate, thus preventing them from being marked as Spam.

 

SPF

Step 1: Find your Domain DNS management page

This is where you domain was bought and is managed (e.g. GoDaddy, Cloudflare, etc).

If you don't have access to the login credentials, share this guide with someone in your organization who does, usually the IT team, or the person that bought the domain.

You'll need access to the domain management page to set up SPF, DKIM and DMARC.

Step 2: Update or create an SPF record

Search for a TXT record starting with v=spf1:

  • If you find one: jump to the Update an SPF record section.
  • If you do not find any SPF record, go to section below.

Create an SPF record

  1. Add the new SPF record
    Type Host Value TTL
    TXT Record
    @
    v=spf1 include:spf.protection.outlook.com ~all
    5 min
  2. Make sure you Save Changes.
  3. Your record is now created, move to Step 3: Validate your SPF setup.

Update an SPF record

To update the existing SPF record, you will need to add include:spf.protection.outlook.com to the record's Value field.

For example, your current record value may look like this:

v=spf1 ip4:1.2.3.4 include:thirdparty.com ~all

After the update, it should be this:

v=spf1 ip4:1.2.3.4 include:thirdparty.com include:spf.protection.outlook.com ~all

Step 3: Validate your SPF setup

If the validation fails, it may be because DNS changes can take a while to propagate. Try again in a couple of minutes.

Within Amplemarket

  1. Go to the Domain Health Center
  2. Find a mailbox for the domain you just configured, and press the Authentication cell
  3. Press Run tests to run an Authentication check
  4. Once completed, the SPF should now show as pass

Outside Amplemarket

If you don't have access to Amplemarket you can verify if your SPF is correctly setup on a free tool like: https://mxtoolbox.com/spf.aspx

Common SPF Error Cases

Multiple SPF Records

You can not have multiple spf records for the same Host.

If you do, you will need to merge them into one.

For example, if you have 3 SPF records:

Type Host Value TTL
TXT Record
@
v=spf1 include:spf.protection.outlook.com ~all
5 min
TXT Record
@
v=spf1 ip4:1.2.3.4 ~all
5 min
TXT Record
@
v=spf1 include:thirdparty.com ~all
5 min

You will need to transform them into just one, be editing one of them and deleting the others, the final result should be only record with the v=spf1 for the @ Host.

Type Host Value TTL
TXT Record
@
v=spf1 ip4:1.2.3.4 include:thirdparty.com include:spf.protection.outlook.com ~all
5 min

Malformed SPF Record

This could be a typo or a misplaced element.

Copy and paste the record you have to this SPF syntax checker to help you find the issue: https://vamsoft.com/support/tools/spf-syntax-validator

DKIM

Step 1: Find your Domain DNS management page

This is where you domain was bought and is managed (e.g. GoDaddy, Cloudflare, etc).

If you don't have access to the login credentials, share this guide with someone in your organization who does, usually the IT team, or the person that bought the domain.

You'll need access to the domain management page to set up SPF, DKIM and DMARC.

Keep this page opened as you'll need it later.

Step 2: Generate DKIM keys for Microsoft 365

  1. Go to https://admin.microsoft.com/Adminportal/Home#/Domains, search for your domain and press Manage DNS.
  2. Pick Add your own DNS records, then press Continue
  3. Go to Advanced Options and make sure you check the DKIM records option

Step 3: Create the DKIM DNS Records

    1. Copy the DKIM records you just generated from Microsoft's
    2. Add them as new CNAME records in you DNS management page that you opened earlier.
    3. Go back to Microsoft's admin panel and press the Continue button to complete the setup
    4. Continue may fail as it can take a couple of minutes (at worst hours) for Microsoft to recognize the new DNS records you just created. Please try again if that's the case.
    5. Finally you should see this page

Step 4: Validate you DKIM setup

If the validation fails, it may be because DNS changes can take a while to propagate. Try again in a couple of minutes.

Within Amplemarket

  1. Go to the Domain Health Center
  2. Find a mailbox for the domain you just configured, and press the Authentication cell
  3. Press Run tests to run an Authentication check
  4. Once completed, the DKIM should now show as pass

Outside Amplemarket

If you don't have access to Amplemarket you can verify if your DKIM is correctly setup on a free tool like: https://mxtoolbox.com/dkim.aspx

Use selector1 and selector2 as the selector values

Common DKIM Error Cases

Malformed DKIM Records

This means the DKIM record has an incorrect format, usually caused by mistakenly adding an extra character. Please double check your records, and/or copy/paste them again.

Email body altered after DKIM signature

This can happen when there's special configurations on your email servers to change outgoing emails. It's best to contact your IT department with this issue, since it will affect deliverability.

DKIM Signed from different domain

Your emails have a DKIM signature that did not originate from your domain. This means you haven't performed the DKIM setup for your domain, go to the DKIM setup section of this guide.

DKIM Signed with default Microsoft signature

Microsoft automatically signs all outgoing email with their default DKIM signature.

If you'd like to have an optimal setup for deliverability you can go to the DKIM setup section of this guide, to set up a DKIM signature coming from your domain.

DKIM Signature did not match

Your DKIM record is outdated and it does match the one that Microsoft is using.

Complete the steps in the DKIM setup section of this guide.

    •  

DMARC

Step 1: Find your Domain DNS management page 

This is where you domain was bought and is managed (e.g. GoDaddy, Cloudflare, etc).

If you don't have access to the login credentials, share this guide with someone in your organization who does, usually the IT team, or the person that bought the domain.

You'll need access to the domain management page to set up SPF, DKIM and DMARC.

Step 2: Create a DMARC Record

  1. Add a new DMARC record and save changes
    Type Host Value TTL
    TXT Record
    _dmarc
    v=DMARC1; p=none;
    5 min
    You can learn more about different DMARC policies on microsoft's documentation.

Step 3: Validate your DMARC setup

If the validation fails, it may be because DNS changes can take a while to propagate. Try again in a couple of minutes.

Within Amplemarket

  1. Go to the Domain Health Center
  2. Find a mailbox for the domain you just configured, and press the Authentication cell
  3. Press Run tests to run an Authentication check
  4. Once completed, the DMARC should now show as pass

Outside Amplemarket

If you don't have access to Amplemarket you can verify if your DMARC is correctly setup on a free tool like: https://mxtoolbox.com/dmarc.aspx

Common DMARC Error Cases

Multiple DMARC Records

Keep only one of records, delete the others.

DMARC records are TXT type records, with _dmarc on the Host option.

Malformed DMARC Record

This could be a typo or a misplaced element.

Copy and paste the record you have to this DMARC syntax checker to help you find the issue: https://vamsoft.com/support/tools/dmarc-policy-validator

Malformed Email on the rua and/or ruf option

Your DMARC record has a rua and/or ruf option with a malformed email address.

Please check the syntax of the email address.

Copy and paste the record you have to this DMARC syntax checker to help you find the issue: https://vamsoft.com/support/tools/dmarc-policy-validator

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request