DMARC setup for Microsoft 365

# DMARC for inbound mail You don't have to do a thing to set up [[Domain-based Message Authentication, Reporting and Conformance (DMARC)|DMARC]] for mail that you receive in Microsoft 365. It's all taken care of. If you want to learn what happens to mail that fails to pass our DMARC checks, see [How Microsoft 365 handles inbound email that fails DMARC](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#how-microsoft-365-handles-inbound-email-that-fails-dmarc).^[[Use DMARC to validate email, setup steps | Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#set-up-dmarc-for-inbound-mail)] # DMARC for outbound mail from Microsoft 365 If you have a custom domain or are using on-premises Exchange servers along with Microsoft 365, you need to manually set up DMARC for your outbound mail. Setting up DMARC for your custom domain includes these steps: - Step 1: Identify valid sources of mail for your domain - Step 2: Set up [[Sender Policy Framework (SPF)|SPF]] for your domain - Step 3: Set up [[DomainKeys Identified Mail (DKIM)|DKIM]] for your custom domain - Step 4: Form the DMARC TXT record for your domain ## Step 1: Identify valid sources of mail for your domain If you have already set up [[SPF]], then you've already gone through this exercise. There are some further considerations for [[DMARC]]. When identifying sources of mail for your domain, answer these two questions: - What IP addresses send messages from my domain? - For mail sent from third parties on my behalf, will the 5321.MailFrom and 5322.From domains match? ## Step 2: Set up [[SPF]] for your domain https://mxtoolbox.com/SPFRecordGenerator.aspx ## Step 3: Setup up [[DomainKeys Identified Mail (DKIM)|DKIM]] for your custom domain ^[[How to use DKIM for email in your custom domain | Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide)] ### Web page [DKIM page](https://security.microsoft.com/dkimv2) ### PowerShell^[[How to use DKIM for email in your custom domain | Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide#steps-to-manually-set-up-dkim-using-powershell)] For each domain for which you want to add a [[DKIM]] signature in [[HPS - DNS]], you need to publish two CNAME records. Run the following commands in [[Exchange Online PowerShell]] to create the selector records: ```PowerShell New-DkimSigningConfig -DomainName <domain> -Enabled $false Get-DkimSigningConfig -Identity <domain> | Format-List Selector1CNAME, Selector2CNAME ```