How to Set Up DMARC, SPF and DKIM for Microsoft 365
Without SPF, DKIM and DMARC configured on your domain, anyone can send emails that appear to come from your email address. This is used for Business Email Compromise (BEC) attacks where attackers send fake invoices, payment change requests or phishing emails that look exactly like they came from your company. These three DNS records are free to configure and block the vast majority of email spoofing attacks.
Go to mxtoolbox.com/spf, enter your domain and check if SPF is configured. Do the same at mxtoolbox.com/dmarc. Many Malaysian business domains have no SPF and no DMARC, making them trivially spoofable.
Step 1: Add the SPF Record
SPF tells the world which mail servers are allowed to send email for your domain. For Microsoft 365, the record is standardised.
Log Into Your Domain DNS
Log into your domain registrar or DNS hosting provider. Common providers for Malaysian domains:
- .com.my / .my domains: MYNIC registrars such as Exabytes, Shinjiru, WebServer Malaysia
- .com domains: GoDaddy, Namecheap, Cloudflare DNS
- Cloudflare: If your nameservers point to Cloudflare, manage DNS at dash.cloudflare.com
Navigate to the DNS management section for your domain.
Add the SPF TXT Record
Add a new TXT record:
- Type: TXT
- Name / Host: @ (root of the domain)
- Value:
v=spf1 include:spf.protection.outlook.com -all
Save the record. DNS propagation takes 15 minutes to 48 hours. The -all at the end means hard fail – emails from servers not in this list will be marked as failing SPF. If you also use other email services (Mailchimp, Xero, Freshdesk), include their SPF includes before the -all. Example with Mailchimp:
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all
Step 2: Enable DKIM in Microsoft 365
Enable DKIM Signing
Go to security.microsoft.com (Microsoft 365 Defender). Navigate to Email & collaboration > Policies & rules > Threat policies. Click DKIM.
Select your domain from the list. Click the toggle to enable DKIM. You will see an error initially – this is expected as the CNAME records have not been added to DNS yet.
Copy the two CNAME records shown on the page. They will look like:
selector1._domainkey.yourdomain.com CNAME selector1-yourdomain-com._domainkey.yourtenantname.onmicrosoft.com selector2._domainkey.yourdomain.com CNAME selector2-yourdomain-com._domainkey.yourtenantname.onmicrosoft.com
Add DKIM CNAME Records to DNS
Return to your domain DNS and add both CNAME records:
- Type: CNAME
- Name: selector1._domainkey
- Value: the value copied from Microsoft 365 (long .onmicrosoft.com address)
Repeat for selector2._domainkey. After DNS propagates (15 minutes to 24 hours), return to the DKIM page in Microsoft 365 Defender and click Enable again. It should now show as enabled with a green checkmark.
Step 3: Add the DMARC Record
Add DMARC TXT Record to DNS
Add a new TXT record in your domain DNS:
- Type: TXT
- Name / Host: _dmarc
- Value (start with monitoring):
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-reports@yourdomain.com; fo=1
Replace dmarc-reports@yourdomain.com with a real mailbox you can monitor.
After 2 to 4 weeks of reviewing reports and confirming no legitimate email is failing, update to quarantine:
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com
After another 2 to 4 weeks with no issues, update to reject:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
After DNS propagates, check all three at mxtoolbox.com: mxtoolbox.com/spf, mxtoolbox.com/dkim and mxtoolbox.com/dmarc. All three should show green. Run a test email through mail-tester.com to see a full authentication report.
Need IT Help in Malaysia?
Cybergate provides cybersecurity Malaysia for businesses across Malaysia. Our team is available Monday to Saturday, 9am to 6pm.