Office365 DKIM and DMARC configuration

DKIM and DMARC are used to prevent spoofing of the domain name by spammers. Configuring it in Office365 is quite easy, but must be done manually if you use a custom domain (so not the standard I assume, that the standard DNS configuration including the SPF record is already done, as they are set automatically or at least validated during the setup of a new domain.
To configure the DKIM and DMARC records, you just need to add a few DNS record and enable it in Exchange Online:

Step 1: Enable DKIM

Go to Exchange Admin Center and open dkim which you can find under protection. Select your domain and press “enable”:

You’ll see that it tells you that the CNAME record does not exist. It also shows you which records you have to add. In my case, I configure it for the domain and therefore, the CNAME records are:

Type Host Value TTL
CNAME selector1._domainkey 3600
CNAME selector2._domainkey 3600

Wait a while and press enable again. Once it is enabled, you can also click “rotate” which activates rotation of DKIM signatures.

Step 2: Configure DMARC

To enable DMARC (Domain-based Message Authentication, Reporting and Conformance), just add another DNS entry:

Type Name Value TTL
TXT _dmarc v=DMARC1; p=reject; pct=100; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected] 3600

This entry tells receiving servers what to do with email that fail SPF and DKIM checks. It consists of a few parameters:

  • v is the version tag and value is DMARC1
  • p Policy to apply to email that fails the DMARC test. Values are: none (no action, just collect the data), quarantine (its up to receiver if it moves such mails to spam, quarantines it or ignores it), reject (do not accept this mail)
  • pct is percentage of mails which the DMARC policy covers
  • rua reporting uri to send aggregated feedback (xml file) to.
  • ruf reporting uri to send forensic reports to.

Step 3: Verify

To verify if all your settings are correct, you can use:
DKIM Check: (selector is “selector1” or “selector2”)
DMARC Check:

and additionally, send an email e.g. to google, or whatever you want and check the header. This header should contain something like:
dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;

Additional information


No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *