How To Set Up Email Authentication with Microsoft Office (SPF, DKIM, DMARC)
We’re seeing more and more deliverability issues with clients these days and too many companies don’t have basic email authentication set up with their office email and email marketing service providers. The most recent was an e-commerce company we’re working with that sends their support messages out of Microsoft Exchange Server.
This is important because the client’s customer support emails are using this mail exchange and then routed through their support ticketing system. So, it’s essential that we set up Email Authentication so that those emails don’t get inadvertently rejected.
When you first set up Microsoft Office on your domain, Microsoft has a nice integration with most Domain Registration servers where they automatically set up all the necessary mail exchange (MX) records as well as a Sender Policy Framework (SPF) record for your Office email. An SPF record with Microsoft sending your office email is a text record (TXT) in your domain registrar that looks like this:
v=spf1 include:spf.protection.outlook.com -allSPF is an older technology, though, and email authentication has advanced with Domain-based Message Authentication, Reporting and Conformance (DMARC) technology where it’s less likely to have your domain spoofed by an email spammer. DMARC provides the methodology to set how strict you want internet service providers (ISP) to validate your sending information and provides a public key (RSA) to verify your domain with the service provider, in this case, Microsoft.
Steps to setup DKIM in Office 365
While many ISPs like Google Workspace provide you with 2 TXT records to setup, Microsoft does it a little bit differently. They often provide you with 2 CNAME records where any authentication is deferred to their servers for the lookup and authentication. This approach is becoming pretty common in the industry… especially with email service providers and DMARC-as-a-service providers.
- Publish two CNAME records:
CNAME: selector1._domainkey
VALUE: selector1-{your sending domain}._domainkey.{your office subdomain}.onmicrosoft.com
TTL: 3600
CNAME: selector2._domainkey
VALUE: selector2-{your sending domain}._domainkey.{your office subdomain}.onmicrosoft.com
TTL: 3600Of course, you need to update your sending domain and your office subdomain respectively in the example above.
- Create your DKIM Keys in your Microsoft 365 Defender, Microsoft’s administration panel for their clients to manage their security, policies, and permissions. You’ll find this in Policies & rules > Threat policies > Anti-spam policies.
- Once you have created your DKIM Keys, then you’ll need to enable Sign messages for this domain with DKIM signatures. One note on this is that it may take hours or even days for this to validate since domain records are cached.
- Once updated, you can run your DKIM tests to ensure they’re properly working.
What About Email Authentication adn Deliverability Reporting?
With DKIM, you typically set up a capture email address to have any reports sent to you on deliverability. Another nice feature of Microsoft’s methodology here is that they record and aggregate all of your deliverability reports – so there’s no need to have that email address monitored!
