How to Set Up SPF, DKIM, and DMARC in Office 365 Cloud?

If you are new to Microsoft 365 and still have confusion on how to set up SPF, DKIM, and DMARC in Office 365, then stop worrying.

This blog is your one-stop destination to configure all three authentication records. Add these to prevent your organization from spoofing, phishing attacks, and other forms of email fraud.

By enabling these settings in your M365 service, you not only safeguard against incoming traffic but also tell the recipient that emails sent from your domain are legitimate.

These trust-based email communication protocols make sure that the messages your users send land in the inbox and not expire in the spam folders.

Before we begin, let us get an overview of what these records are and why it is necessary to set them up.

What are SPF, DKIM, and DMARC in Office 365?

We must know the purpose of each component. These three together form the 3-pillars of email security, not just in M365 but any email communication.

Even though their roles overlap, you should not skip the setup. Otherwise, your email protection will be unstable, and your organization will be vulnerable to outside attacks.

SPF stands for Sender Policy Framework. Essentially, this is a list of all servers that are approved for sending emails.  Here we use a DNS TXT record to specify which email server will be sending mail on behalf of your domain. Which, in our case, is spf.protection.outlook.com.

See How Admins Migrate iRedMail to Office 365 Cloud.

SPF uses the sender’s IP to prevent email forgery. However, it can still be bypassed with a false negative style spoofing attack. Where they register a domain A but use a different domain B in the From address. That’s why we needed a stronger method, and DKIM is that.

The DomainKeys Identified Mail, or DKIM for short, adds an email signature to your email headers. You might think, How does a change in the header help against spoofing? The answer is a signature with cryptographic encryption.

The recipients can then use a reverse check to match the signature with a Public key that is on the sender’s DNS. If any tampering is done during the transit, it changes the header. So attacks can easily be identified and blocked. However, DKIM still has some vulnerabilities that advanced spoofing tactics use to trick the server. Which calls for DMARC.

This Domain-based Message Authentication, Reporting, and Conformance protocol is, in fact, a policy layer.

If a message fails both SPF and DKIM checks, the DMARC protocol tells the server what to do. Moreover, there exists a reporting mechanism in DMARC that logs all events about who sends email from your domain.

Despite being such a critical communication protector, DMARC protocol adoption is found in less than 20% of domains according to a recent survey.

Preconditions to Set Up SPF, DKIM, and DMARC in Office 365

Not every user has the necessary privileges in an organization to configure domain authentication protocols. Here is a miniature checklist that explains what you need to ensure a hurdle-free setup.

Administrator Credentials of the Office 365 Tenant: Not just any admin account, but the global admin that can access the Microsoft 365 Defender portal.

Also Read: How to Create a Folder for All Mailboxes in Exchange Online?

Admin Access to the DNS Host: For many of our steps, we would need to log in to the DNS provider’s settings page. You can only get access if you have the proper ID and password.

Verified Custom Domain: These steps that we are about to do expect that you have already added and verified the domain in your O365 tenant. If not, first complete that and then come back to these instructions and continue with the configuration.

Once you have fulfilled every prerequisite, start with the Sender Policy Framework settings.

How to Set Up SPF Record in Office 365 Step by Step?

Although Microsoft, in its official documentation, specifies that SPF alone is not sufficient to protect your domain against modern cyber threats, it is still the foundation on which other records build.

What SPF does is tell the rest of the domains on the internet that Microsoft’s servers are now authorised to send emails on your behalf. Here is how you make the announcement:

Start by logging in to the DNS hosting provider’s website.

Then go to the  DNS settings area

Request a new TXT record and fill in the fields with the following data

• Type: TXT
• Host/Name: @ (or your domain name, depending on your provider)
• Value: v=spf1 include:spf.protection.outlook.com -all
• TTL (Time to Live): 1 hour or 3600 seconds is a common setting.

Here you see a “-all” flag. This is a hard fail signal from the M365 telling the mail recipients to ignore all other mail that may impersonate the domain.

You should limit one SPF record per domain. If by chance you need to send emails from outside M365 servers, use the “include” statement in the same record.

Steps to Add DKIM in Office 365

Next, we teach you how to configure DKIM in Microsoft 365 by getting the keys from the portal and publishing them as CNAME records within your DNS.

Step 1. Fetch the Keys from Your M365 Account

• Log in to the Microsoft 365 Defender portal at security.microsoft.com.
• In the right-hand pane, expand the Email & collaboration bar > Click on Policies & rules > select Threat policies.
• 

 

• On the Threat Policies page, scroll down till you see the Email authentication settings and open them.
  

 

• Switch to the DKIM tab, pick the custom domain for which you are setting up SPF, DKIM, and DMARC in Office 365.
• A details pane flies out from the right side of your screen, there you have to click on the Create DKIM button.
  

Step 2. Publish CNAME Records in the DNS

If the key generation is successful, you will see the CNAME records pop up on your screen inside two small windows.

Copy the text before closing the windows.

Keep the copied content on your clipboard/notepad, or any other text viewer. Log in to your DNS provider settings menu and make two new CNAME records.

Add both these values one by one. The usual format is

• Type: CNAME
• Host/Name: selector1._domainkey
• Value/Points to: selector1-<CustomDomainWithDashes>._domainkey.<InitialDomain>.onmicrosoft.com

Paste the values in their respective fields and repeat for the second CNAME record. Make sure that you replace the placeholders ( <CustomDomainWithDashes> and <InitialDomain>) with your specific values.

Step 3. Enable DKIM

CNAME addition takes a few minutes to propagate across the internet and be verified for your address. Once it happens, go back to the DKIM page of the Microsoft Defender portal and finish up the remaining steps.

Select your domain

Toggle the “Sign messages for this domain with DKIM signatures” button to the enabled position.

M365 finds your CNAME records and completes the setup. You can verify the completion by checking if the settings show the text “Signing DKIM signatures for this domain.”

However, you may encounter an error as well; if this happens, double-check all the records that you published and reattempt the process.

Configure DMARC in M365 Cloud

This is the last leg of the authentication trio, and once we set it up, all our email communication can take place without issue. DMARC record ties the other two together, so we can consider it the most important policy.

Once again, log in to your DNS hosting provider’s portal, create a new TXT record.
Make sure you match the following details:

• Type: TXT
• Host/Name: _dmarc
• Value: v=DMARC1; p=none; rua=mailto:[email protected];
• ruf=mailto:[email protected];
• TTL: 1 hour or 3600 seconds.

Here, replace the placeholder email address with the correct one. After you do this, you will start receiving the aggregate RUA and forensic RUF reports regularly.

Admins can use these reports to diagnose any authentication issues that users complain about and even monitor what type of traffic flows through their network.

How to Verify SPF, DKIM, and DMARC Set Up in Office 365?

Once you are done with the configuration, you must do a test run to validate its working as intended. You need not attempt this test right away, as it would throw a false negative. Wait for some time (typically 24-48 hours) and let the records propagate. Then use any free-to-use online checkers like MXToolbox, DMARC-LY, Mailtester, etc.

You can also ask users to send messages to a private account/different domain and manually test the authentication.

Perform Policy Enforcement

This is not a standard practice but a Microsoft recommendation to further strengthen your DMARC records.

A Quarantine Policy: Updating this setting tells the receiving servers to push all emails that fail DMARC to the junk/spam folder.  All you have to do is go and edit the DMARC record’s p value from “none” to “quarantine”

A Rejection Policy: If you wish to add an been more stricter version of DMARC, set the p value to reject. Making this change instructs the recipients to deny every email from ever reaching its destination if it fails the DMARC validation.

Conclusion

Learning how to set up SPF, DKIM, and DMARC in Office 365 is no longer as hard as it seemed before. This blog gave you all the steps you need to perform to implement this email authentication trio for your M365 domain.

Once you complete the record configuration, you limit the risk that your domain gets hijacked and used in spoofing attacks. Thus protecting your reputation in the online world.