DMARC, SPF, and DKIM Explained: Email Authentication for M365

Email remains one of the most critical attack vectors in organizations today. Threat actors routinely exploit authentication weaknesses to impersonate trusted senders, compromise user accounts, and distribute malware. For MSPs and MSSPs managing Microsoft 365 environments, implementing robust email authentication protocols isn’t optional—it’s essential to protecting your clients’ data and reputation.

This guide explains three foundational email authentication mechanisms: SPF, DKIM, and DMARC. By the end, you’ll understand how each works, why they matter for M365 security, and how to configure them correctly.

Understanding Email Authentication Protocols

Email authentication verifies that messages truly originate from the claimed sender. Without it, attackers can spoof addresses belonging to executives, customers, or trusted partners—a technique called domain spoofing. The three primary protocols address different aspects of email validation.

SPF: Sender Policy Framework

SPF is the first line of defense. It allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain.

How SPF Works:

• Domain owner publishes an SPF record in DNS (a TXT record)
• The record lists authorized mail server IP addresses or hostnames
• When email arrives, the receiving server checks the sender’s SPF record
• If the sending server’s IP matches the SPF record, authentication passes

SPF Configuration for M365:

In the Microsoft 365 admin center, navigate to Settings > Domains and select your domain. SPF records should include:

v=spf1 include:outlook.com ~all

For custom routing or third-party services sending on your behalf, add additional includes:

v=spf1 include:outlook.com include:sendgrid.net include:your-crm.com ~all

Key considerations:

• Keep SPF records simple and under 10 DNS lookups (hard limit)
• Use ~all (softfail) initially, then –all (hardfail) after validation
• Monitor SPF alignment to detect unauthorized senders
• Audit all applications and services that send mail from your domain

DKIM: DomainKeys Identified Mail

DKIM adds cryptographic signatures to email messages. It proves the message hasn’t been altered in transit and confirms the sender’s identity.

How DKIM Works:

• Domain owner generates a public/private key pair
• The private key signs outgoing emails with a cryptographic hash
• The public key is published in DNS
• Receiving servers retrieve the public key and verify the signature
• A valid signature proves the message came from the domain owner

DKIM Configuration for M365:

Microsoft 365 automatically generates DKIM keys for your domain. To enable DKIM:

1. In the Microsoft 365 admin center, go to Protection > DKIM
2. Select your domain and click Enable
3. Microsoft publishes two CNAME records to your DNS
4. Wait 24-48 hours for DNS propagation
5. Verify DKIM status shows as “enabled”

For custom domains, you can manually create DKIM records:

selector1._domainkey.yourdomain.com CNAME selector1-yourdomain-com._domainkey.outlook.com
selector2._domainkey.yourdomain.com CNAME selector2-yourdomain-com._domainkey.outlook.com

The dual selectors provide key rotation capability without email disruption.

DMARC: Domain-based Message Authentication, Reporting, and Conformance

DMARC ties SPF and DKIM together. It tells receiving servers what to do if authentication fails and provides reporting on email flows.

How DMARC Works:

• Domain owner publishes a DMARC policy in DNS
• The policy specifies handling for authentication failures
• Sending servers check SPF or DKIM alignment
• Receiving servers generate reports on authentication results
• You monitor reports to identify legitimate senders and spoofing attempts

DMARC Policy Levels:

• Monitor (p=none): No enforcement; receive reports only
• Quarantine (p=quarantine): Failed messages go to spam folder
• Reject (p=reject): Failed messages are rejected outright

DMARC Configuration for M365:

Publish a DMARC TXT record in your DNS:

_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"

Breakdown:

• v=DMARC1 — DMARC version
• p=none — Monitor mode (don’t enforce yet)
• rua=mailto:... — Send aggregate reports to this email
• ruf=mailto:... — Send forensic reports for failures
• fo=1 — Generate reports on SPF or DKIM failures

Phased DMARC Implementation:

Week 1-2: Deploy at p=none and monitor reports for legitimate senders
Week 3-4: Identify unauthorized sources and add exceptions if needed
Week 5-8: Move to p=quarantine and monitor spam folder for false positives
Week 9+: Progress to p=reject for maximum protection

Alignment and Best Practices

For SPF and DKIM to protect against spoofing, they must be aligned with DMARC:

• SPF Alignment: The domain in the SMTP “mail from” header matches the domain in the “from” header
• DKIM Alignment: The domain in the DKIM signature matches the “from” header domain

DMARC supports two alignment modes:

• Strict: Exact domain match required
• Relaxed: Subdomain match acceptable (more forgiving)

Configuration for Relaxed Alignment:

_dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; aspf=r; adkim=r; rua=mailto:[email protected]"

Recommended Best Practices:

1. Audit External Senders: List all applications, services, and partners that send email from your domain
2. Enable BIMI: Add a Brand Indicators for Message Identification (BIMI) record to display your logo in email clients
3. Monitor Continuously: Review DMARC reports weekly to catch spoofing attempts
4. Test Configurations: Use tools like DMARC analyzer or MXToolbox to validate records
5. Document Everything: Maintain a spreadsheet of authorized senders and SPF inclusions
6. Train Users: Educate employees that email authentication isn’t foolproof; phishing remains a threat

Why This Matters for Your M365 Clients

Proper email authentication:

• Reduces phishing success rates by blocking spoofed emails
• Improves deliverability of legitimate messages to inbox (not spam)
• Builds trust with partners who validate your authentication
• Demonstrates compliance with security standards like HIPAA and SOC 2
• Protects brand reputation by preventing attacker impersonation

Most organizations skip or misconfigure these protocols, leaving doors open for attackers. As an MSP, you have an opportunity to differentiate your security offering by implementing these correctly for every client.

Ready to Strengthen Email Security?

Email authentication is just one component of a comprehensive Microsoft 365 security strategy. Domain spoofing, credential compromise, and advanced threats require multiple defensive layers.

Ready to assess your Microsoft 365 security posture? Run a free security assessment at 365 Security Assessment to identify authentication gaps, compliance risks, and remediation priorities for your organization.