ESP guide

DMARC for Microsoft 365: the gotchas that bite everyone

Microsoft 365 DMARC setup is mostly mechanical, but four specific behaviours trip up almost every tenant: SPF include depth, custom-domain DKIM, the legacy MX rewriting, and Exchange Online's group-message handling.

TL;DR

  • 1 spf.protection.outlook.com counts as 2 DNS lookups against your SPF 10-limit.
  • 2 Custom-domain DKIM is OFF by default — you must turn it on in Defender or DKIM signs with onmicrosoft.com.
  • 3 Microsoft enforces DMARC reject on inbound mail as of May 5 2025; non-compliant senders bounce.

What it does

Microsoft 365 (Exchange Online + Defender for Office 365) handles outbound DKIM signing for your custom domain only if you explicitly enable it per-domain in the Microsoft 365 Defender admin centre. If you skip this step, every message you send signs with d=tenant.onmicrosoft.com, which can never align with your From: domain.

Inbound DMARC behaviour changed materially in 2024: Microsoft now honours p=quarantine and p=reject on inbound messages (it used to silently downgrade to spam-fold). This is great for your spoofing protection AND means you'll cause bounces if you're sending non-compliant mail to M365 mailboxes.

How it works

  1. 1

    Publish SPF that includes spf.protection.outlook.com. Note: this include chains 2 DNS lookups, leaving 8 for the rest of your senders.

  2. 2

    Open Microsoft 365 Defender → Policies → Email authentication → DKIM. Select your domain. Click 'Enable'. M365 will display two CNAMEs (selector1._domainkey and selector2._domainkey). Publish those.

  3. 3

    Wait ~30 min for DNS to propagate, then re-enable DKIM in the Defender UI. The status should flip to Signing.

  4. 4

    Publish your DMARC record at _dmarc.yourdomain. Start at p=none.

  5. 5

    Watch aggregate reports. Microsoft's reports arrive from dmarc-reporting@protection.outlook.com.

Common pitfalls

  • Forgetting to enable custom-domain DKIM. Outbound mail signs as tenant.onmicrosoft.com, never aligns, fails DMARC.

  • Hitting the SPF 10-lookup limit. spf.protection.outlook.com + Mimecast/Proofpoint + a few SaaS includes blows the budget. Flatten or remove rarely-used includes.

  • Mail-enabled security groups: when a member of a group sends to the group, Exchange rewrites the From, breaking alignment for downstream receivers. Use Modern Groups or shared mailboxes instead.

  • Connector-routed mail (third-party scanner → M365 → recipient) loses DKIM alignment if the scanner re-signs. Configure the connector to skip signing or pre-sign with your selector before routing.