How to setup DMARC in Office 365 for free
This is how to setup DMARC on office 365, including office 365 SPF and office 365 DKIM as prerequisites. Increase deliverability with these authentication protocols.
Hello everyone! In this blog, we're diving into three critical settings in Microsoft 365 that can significantly boost your email security as well as deliverability to your email recipients and audience. Surprisingly, many companies I come across are using only one of these settings!
First, let me introduce myself. I'm Bobby Jimenez, an Email Deliverability expert, assisting businesses globally with email compliance and security. As an Allegrow user myself, we’ve teamed up to outline how to setup DMARC in office 365, from start to finish.
We'll cover three essential settings you can implement at no additional cost to enhance your email security for Microsoft 365.
The settings we’ll discuss are SPF, DKIM, and DMARC. Both SPF and DKIM are highly recommended to be set-up alongside DMARC. Therefore, we’ll cover how to ensure these protocols are in place and fully functional too.
These may sound technical, but I’ll break everything down in simple section as follows:
- What are DMARC, SPF, and DKIM
- Setting Up DMARC
- Publishing your DMARC Record
- Preparing your SPF Record, prior to adding them in your DNS.
- Publishing an SPF Record
- Adding DKIM Records
- How to Test Your DMARC, SPF, and DKIM Authentication is Working Correctly
If you're a Google user on the other hand, check-out our alternative guide here for setting testing these authentication protocols in Google Workspace.
What are DMARC, SPF, and DKIM
1. DMARC (Domain-based Message Authentication, Reporting, and Conformance): This ensures both SPF and DKIM are in place and tells receiving email servers what to do if neither of these checks passes. It’s like adding special sender instructions to your recipient's email servers on what to do if an email looks tampered with or isn’t from a trusted sender.
2. SPF (Sender Policy Framework): This helps prevent spammers from sending messages on behalf of your domain. It’s like specifying which mail servers are allowed to send emails from your domain.
3. DKIM (DomainKeys Identified Mail): This adds a digital signature to your emails, ensuring they haven’t been altered during transit. It’s like a digital lock for your email with a unique combination that only you can provide.
Before we begin, I'd like to note that adding these security settings requires a certain level of comfort with adding DNS records. You’ll need at least a medium level of technical expertise to access your email domain's DNS editor and add records. If you're not comfortable doing this yourself, pass this article on to your IT admin to help out.
Setting Up DMARC
DMARC is the final piece of the puzzle to ensure your email security is robust. What the people at DMARCIAN have done is fantastic, they’ve created a free DMARC Record Wizard that takes the pain away from what is usually a complicated and confusing process. I highly recommend using this tool to create your DMARC record.
You can find the wizard here: DMARC Record Wizard By following the steps in the wizard, you’ll be guided through creating a valid DMARC record suitable for your domain. This tool also provides valuable insights into how your domain is being used and/or abused.
Publishing your DMARC Record
Once you've created the DMARC record from , you need to publish it to the DNS before the receiving email server can pick it up. Publishing a DMARC record is a matter of creating a TXT record on your domain.
Once again let's assume you are using Cloudflare as your domain DNS hosting service. And note that other DNS providers would more or less look the same, so take this example as your guide! Here are the steps:
Steps to Add a DMARC Record
1. Log in to Cloudflare:
- Select your domain from the dashboard.
2. Access DNS Settings:
- Click on the "DNS" tab to view your DNS records.
3. Add a New DMARC Record:
- Click the "Add record" button.
4. Fill in the Record Details:
- Type: Select TXT from the drop-down menu.
- Name: Enter _dmarc (this specifies that the record is for DMARC).
- Content: Enter your DMARC record value results from the wizard above.
5. Verify Your SPF Record:
- Check if the SPF record appears correctly in the list of DNS records.
Now you’ll want to make sure you’ve added SPF and DKIM to your domain as prerequisites for strong security. So, it might make sense to review setting up SPF and setting up DKIM sections below if you don’t already have these in place!
Preparing your SPF Record, prior to adding them in your DNS.
Before you add the records in your DNS editor, I highly recommend preparing the exact syntax in a text editor on your computer; it's important to get this right.
First Scenario: Microsoft 365 is your only means of sending emails from your domain.
In this scenario, since only Microsoft 365 is allowed to send emails, just include its SPF record (spf.protection.outlook.com) in your SPF record, like this:
v=spf1 include:spf.protection.outlook.com –all
Second Scenario: You or your marketing department are using a 3rd-party service like Mailchimp to send out marketing emails or newsletters, and now you want Microsoft 365 to send emails from your domain as well.
In this instance, you might already have a record in your DNS:
v=spf1 include:servers.mcsv.net -all
Then you will need to include the Microsoft 365 SPF record like this:
v=spf1 include:servers.mcsv.net include:spf.protection.outlook.com –all
Publishing an SPF Record
Once you've created the SPF record, you need to publish it to the DNS before the receiving email server can pick it up. Publishing an SPF record is a matter of creating a TXT record on your domain.
Let's assume you are using Cloudflare as your domain DNS hosting service. Note that other DNS providers would more or less look the same, so take this example as your guide! Here are the steps:
1. Login to Cloudflare:
- Select your domain from the dashboard.
2. Access DNS Settings:
- Click on the "DNS" tab to view your DNS records.
3. Add a New SPF Record:
- Click the "Add record" button.
4. Fill in the Record Details:
- Type: Select TXT from the drop-down menu.
- Name: Enter @ for the root domain or specify a subdomain if needed.
- Content: Enter your SPF record value (e.g., v=spf1 include:spf.protection.outlook.com -all).
- TTL: Set this to your desired value, such as 1 hr.
5. Save Your Changes:
- Click the "Save" button to publish the new SPF record.
6. Verify Your SPF Record:
- Check if the SPF record appears correctly in the list of DNS records.
Note: If you already have an existing SPF record, you should edit it instead of creating a new one. To check if there is an existing SPF record, look for a TXT record with a value starting with v=spf1.
In case you do use another DNS, you can see guidance for Namecheap, GoDaddy, Wix, and Ionos respectively.
Adding DKIM Records
This next part is critical and important to get right on Microsoft 365, so I've prepared a video to guide you on how to do this carefully and correctly.
Watch the video here:
And that's it! You've set up SPF, DKIM, and DMARC records for your domain. Congratulations!
By adding these records, you’re not only complying with the latest email security requirements but also protecting your emails from being marked as spam or rejected as mailbox service providers become stricter with compliance. Having this setup is important for maintaining trust and reliability in email communications going forward. I hope you found this article helpful!
How to Test Your DMARC, SPF, and DKIM Authentication is Working
After setting up DMARC, SPF, and DKIM, it is important to regularly verify that these protocols are functioning correctly. Unfortunately, various factors can cause these authentication protocols to stop working over time. Here are some common reasons why your SPF, DKIM, and DMARC might stop working correctly:
- DNS Changes: Any modifications to your DNS settings or a change in your DNS hosting provider can disrupt the existing configurations, leading to failed authentication.
- New Subdomains or Domains: Adding new subdomains or separate domains for specific purposes (like marketing or support) without configuring the authentication protocols can cause failures.
- Mail Server Changes: Changes or updates to your email servers or the addition of new email sending services that are not included in your SPF record can result in authentication issues.
- Expired DKIM Keys: DKIM keys can expire or become invalid if not updated regularly.
- Policy Misconfigurations: Incorrect or outdated policies in your DMARC, SPF, or DKIM settings can lead to authentication failures.
How Allegrow Helps:
Allegrow offers an automated and reliable way to ensure that your email authentication protocols are always working correctly. Here's how Allegrow specifically tests and notifies you:
- Automated Hourly Checks: Allegrow automatically checks your SPF, DKIM, and DMARC protocols every hour. As long as your mailbox is connected to Allegrow, Allegrow will send a test email to a unique receiver account to verify that these protocols are in place and functioning.
- Instant Notifications: If there are any issues with your email authentication, Allegrow detects the problem within an hour and immediately notifies you. This prompt alert allows your team to quickly address and resolve any authentication failures.
- Continuous Monitoring: Unlike manual checks that need to be performed periodically, Allegrow's continuous monitoring ensures that your email authentication protocols remain effective without requiring constant manual intervention.
By integrating Allegrow into your email system, you can maintain robust email security and ensure high deliverability, avoiding the common pitfalls that can disrupt your email authentication protocols.
