Email Security Settings Guide for Microsoft 365
This guide will help you configure the correct security settings for your domain when using Microsoft 365. Properly configured DNS settings protect your organization from email fraud, spoofing, and other security threats.
Important Notice
Email security configurations are critical to your organization's data protection. Improper setup can lead to email delivery issues, security vulnerabilities, or even data breaches.
While this guide provides detailed instructions, we strongly recommend consulting with your IT department or a qualified DNS professional before making any changes to your domain's DNS records. Incorrect configurations may result in email service disruptions.
These settings should be implemented by someone familiar with DNS management and email authentication protocols. If you're unsure about any step, seek professional assistance rather than proceeding on your own.
Remember that DNS changes can take 24-48 hours to fully propagate across the internet. Plan accordingly and monitor your email services closely after making changes.
Table of Contents
- SPF Settings
- DKIM Settings
- DMARC Settings
- MX Records
- Common Issues and Troubleshooting
SPF Settings
What is SPF?
SPF (Sender Policy Framework) is an email authentication method that helps prevent someone from impersonating your organization by verifying that email servers sending email from your domain are authorized to do so.
How to Configure SPF for Microsoft 365
- Log in to your DNS provider's control panel (e.g., GoDaddy, Cloudflare, Namecheap)
- Locate the TXT record management in the DNS settings
- Create or update a TXT record with the following values:
- Host/Name: @ or blank (representing your root domain)
- Type: TXT
- TTL: 3600 (or your DNS provider's default)
- Value/Data:
v=spf1 include:spf.protection.outlook.com -all
Note: If you already have an SPF record (starts with v=spf1), you must not create another one. Instead, update the existing record by adding include:spf.protection.outlook.com. - Save the changes
- Verify your SPF record after 24-48 hours (the time it takes for DNS changes to propagate) by using an online tool like MXToolbox
Example of a Correct SPF Record for Microsoft 365
v=spf1 include:spf.protection.outlook.com -all
If you use multiple services to send email, combine them with additional include: directives:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all
SPF Mechanism Explanation:
-all: Hard fail for all email that doesn't match (recommended for Microsoft 365)~all: Soft fail (less strict, can be used during testing periods)?all: Neutral (too weak for production environments)+all: Allow all (strongly discouraged from a security perspective)
DKIM Settings
What is DKIM?
DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing email messages so that receiving servers can verify that the messages actually come from your domain and haven't been tampered with.
How to Configure DKIM for Microsoft 365
- Prepare two CNAME records in your DNS configuration:You need to create two CNAME records in your DNS configuration. Microsoft 365 uses two selectors:
selector1 and selector2. - Create the CNAME records in your DNS provider's control panel:For Selector1:
- Host/Name:
selector1._domainkey - Type: CNAME
- TTL: 3600 (or your DNS provider's default)
- Points to/Value:
selector1-<domainGUID>._domainkey.<initialDomain>.onmicrosoft.com
For Selector2:- Host/Name:
selector2._domainkey - Type: CNAME
- TTL: 3600 (or your DNS provider's default)
- Points to/Value:
selector2-<domainGUID>._domainkey.<initialDomain>.onmicrosoft.com
Note: <domainGUID> and <initialDomain> are specific to your Microsoft 365 tenant. You can find these values in the Microsoft 365 admin center. - Find your specific DKIM values in the Microsoft 365 Admin Center:
- Log in to the Microsoft 365 admin center
- Go to Admin centers > Exchange
- Select Protection in the left menu
- Click on DKIM under the "Email authentication" heading
- Select your domain from the list
- In the window that opens, you'll see the exact CNAME values you need to use
- Save the changes in your DNS configuration
- Enable DKIM signing in Microsoft 365:
- After the DNS changes have propagated (24-48 hours), go back to the DKIM settings in the Exchange Admin Center
- Click Enable for your domain
- Verify your DKIM configuration with a tool like MXToolbox DKIM Checker
Tips for DKIM Implementation with Microsoft 365
- Microsoft automatically rotates DKIM keys between selector1 and selector2
- Verify that both CNAME records are correctly configured before enabling DKIM
- Microsoft 365 uses a 2048-bit key size for DKIM signatures
DMARC Settings
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds upon SPF and DKIM to give domain owners control over what happens to email that fails authentication, as well as receive reports about failed attempts.
How to Configure DMARC for Microsoft 365
- Create a new TXT record in your DNS configuration:
- Host/Name:
_dmarc - Type: TXT
- TTL: 3600 (or your DNS provider's default)
- Value/Data: Start with a simple DMARC record, e.g.:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
- Save the changes
- Verify DMARC configuration with a tool like MXToolbox DMARC Checker
Phased DMARC Policy Implementation
For Microsoft 365, it is recommended to implement DMARC in phases:
- Monitoring Mode (p=none):
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
- This sends reports without affecting email delivery
- Use this setting for at least 2-4 weeks to gather data
- Quarantine Mode (p=quarantine):
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com
- Suspicious messages go to the spam folder
pct=25 applies the policy to only 25% of messages- Gradually increase the percentage: 25%, 50%, 75%, 100%
- Rejection Mode (p=reject):
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
- Authorized servers reject email that fails authentication
- Implement only when you are sure all legitimate email flows are correctly configured
DMARC Tag Explanation
v=DMARC1: Protocol version (always DMARC1)p=none/quarantine/reject: Policy for handling failed authenticationpct=: Percentage of traffic the policy applies to (1-100)rua=mailto:: Email address for aggregate reportsruf=mailto:: Email address for detailed forensic reportssp=: Subdomain policy (if different from the main domain)
MX Records
What are MX Records?
MX records (Mail Exchange) specify which email servers should receive email for your domain.
How to Configure MX Records for Microsoft 365
- Log in to your DNS provider's control panel
- Locate the MX record management in the DNS settings
- Remove any existing MX records that don't relate to Microsoft 365
- Add the following MX record:PriorityHost/NamePoints to/Value0@ or blankyourdomain-com.mail.protection.outlook.comNote:
- Lower priority value indicates higher priority
- Replace "yourdomain-com" with your specific Microsoft 365 MX record information (where hyphens replace dots in your domain name)
- The exact MX record value can be found in the Microsoft 365 admin center
- Find your exact MX record information in the Microsoft 365 Admin Center:
- Log in to the Microsoft 365 admin center
- Go to Settings > Domains
- Click on your domain
- Select the DNS records tab
- Under MX records, you'll find the exact value you should use
- Save the changes
- Verify your MX records after 24-48 hours with a tool like MXToolbox MX Lookup
Common MX Record Issues for Microsoft 365
- Duplicate MX records: Remove all non-Microsoft MX records if you exclusively use Microsoft 365
- Incorrect domain format: Check that you're using the specific MX record address for your tenant
- Priority errors: Check that the priority value is correctly specified (0 is recommended)
Common Issues and Troubleshooting
SPF Errors
- Error 1: Too many DNS lookups (max 10 are allowed)
- Solution: Simplify your SPF record by using "include" instead of multiple "a:" or "mx:" mechanisms
- Error 2: Multiple SPF records (only one is allowed)
- Solution: Combine all directives into a single SPF record
- Error 3: SPF record not containing the Microsoft 365 domain
- Solution: Ensure
include:spf.protection.outlook.com is in your SPF record
DKIM Errors
- Error 1: CNAME records pointing to incorrect values
- Solution: Double-check the exact values from the Microsoft 365 admin center
- Error 2: DKIM enabled before DNS records have propagated
- Solution: Wait 24-48 hours after DNS changes before enabling DKIM in Microsoft 365
- Error 3: Only one selector configured
- Solution: Check that both selector1 and selector2 are correctly configured
DMARC Errors
- Error 1: Syntax error in the DMARC record
- Solution: Verify the syntax with a DMARC validator
- Error 2: Reporting address uses the same domain as the DMARC record
- Solution: Configure an additional DMARC record for the reporting domain or use an external reporting address
MX Errors
- Error 1: Conflict between different email services
- Solution: Remove all non-Microsoft 365 MX records if you exclusively use Microsoft 365
- Error 2: Incorrect MX value
- Solution: Confirm the exact MX record value in the Microsoft 365 admin center
Testing Tools and Resources
To verify your settings, use the following tools:
Microsoft 365 Official Documentation
Conclusion
Correctly configuring these four security components (SPF, DKIM, DMARC, and MX) is crucial to ensure your email security with Microsoft 365. By following this guide, you can create a robust email security profile that protects your organization against spoofing, phishing, and other email-related threats.
Remember that DNS changes can take 24-48 hours to propagate globally, so be patient when testing after making changes. For complex environments with hybrid solutions or special needs, consider consulting a Microsoft specialist for customized configuration.
