SPF, DKIM & DMARC¶

Email authentication prevents spoofing and helps receiving mail servers verify your messages are legitimate. All three records work together — SPF and DKIM provide authentication signals; DMARC acts on those signals.

SPF¶

SPF (Sender Policy Framework) declares which mail servers are authorised to send email for your domain.

Create the SPF record¶

Field	Value
Type	TXT
Host/Name	`@` (root domain)
Value	See below

Microsoft 365 only (no other mail senders):

v=spf1 include:spf.protection.outlook.com -all

Microsoft 365 plus other senders (e.g., Mailchimp, SendGrid):

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all

One SPF record per domain

You can only have one SPF TXT record. Multiple records cause a PermError. Add additional senders with extra include: mechanisms.

Verify SPF¶

dig TXT yourdomain.com | grep spf

# Or with nslookup
nslookup -type=TXT yourdomain.com

Expected output includes: v=spf1 include:spf.protection.outlook.com -all

DKIM¶

DKIM (DomainKeys Identified Mail) cryptographically signs outgoing messages. Microsoft 365 generates the key pair and hosts the public key.

Enable DKIM in Microsoft 365¶

Defender portal → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM
Select your domain → Enable → Rotate DKIM keys (if first time)
Copy the two CNAME records shown and publish them in DNS:

Field	Value
Type	CNAME
Name	`selector1._domainkey`
Value	`selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com`

Field	Value
Type	CNAME
Name	`selector2._domainkey`
Value	`selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com`

After DNS propagates (up to 48h), return to the portal and Enable DKIM signing.

Verify DKIM¶

# Check selector1
dig CNAME selector1._domainkey.yourdomain.com

# After enabling, check the TXT record via the resolved CNAME
nslookup -type=TXT selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

DMARC¶

DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving servers what to do when SPF or DKIM fail, and where to send reports.

Deployment stages¶

Start permissive, then tighten once you confirm legitimate mail is passing:

Stage	Policy	Timeline
Monitor	`p=none`	2–4 weeks
Quarantine	`p=quarantine; pct=25` → `pct=100`	4–8 weeks
Reject	`p=reject`	Goal state

DMARC record format¶

Field	Value
Type	TXT
Host/Name	`_dmarc`
Value	See below

Monitoring (initial):

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; fo=1

Quarantine (intermediate):

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com; sp=quarantine; adkim=r; aspf=r

Reject (goal state):

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@yourdomain.com; sp=reject; adkim=s; aspf=s

DMARC tags reference¶

Tag	Description
`p=`	Policy: `none`, `quarantine`, `reject`
`sp=`	Subdomain policy (inherits `p=` if omitted)
`pct=`	Percentage of messages policy applies to (1–100)
`rua=`	Aggregate report destination (daily XML)
`ruf=`	Forensic report destination (per-failure, not all providers send)
`adkim=`	DKIM alignment: `r` (relaxed) or `s` (strict)
`aspf=`	SPF alignment: `r` (relaxed) or `s` (strict)
`fo=`	Failure reporting options: `0`=both fail, `1`=either fail, `d`=DKIM fail, `s`=SPF fail

Verify DMARC¶

dig TXT _dmarc.yourdomain.com

# Or
nslookup -type=TXT _dmarc.yourdomain.com

Process DMARC reports¶

Use a DMARC reporting service to parse and visualise aggregate reports:

These services parse the XML aggregate reports and show which sources are sending on your behalf, and whether they pass or fail.