DMARC for Microsoft 365

Microsoft 365 can sign outbound mail with DKIM and align with SPF when you use the correct outbound routing. DMARC ties those signals together so receivers know it is really your tenant sending as your domain.

1. Enable and confirm DKIM for your domain inside the Microsoft Defender portal or classic Exchange admin paths—Microsoft publishes two selector CNAMEs you must add at DNS.
2. Keep SPF accurate for mail that leaves Microsoft's infrastructure, including any third-party senders that use your domain in the From header.
3. Publish DMARC with p=none and aggregate reporting to learn which senders pass or fail before you tighten policy.
4. Use report data to fix forwarded mail, marketing tools, and shadow IT senders—then move toward quarantine and reject when failures are under control.

Our scanner checks MX-detected providers and surfaces copy-ready DNS fixes.