- Inventory every service that sends mail as your domain first; that list is the whole job.
- Publish one SPF record under ten lookups, then enable DKIM in Microsoft 365 and your other senders.
- Start DMARC at p=none to monitor, read the reports, and fix legitimate senders that fail.
- Ratchet DMARC to quarantine then reject, and SPF to -all, once your real mail passes.
This is the highest-leverage hour you can spend on email security, and it's the thing most small businesses get wrong or skip. Set up these three DNS records and your legitimate email lands reliably while spoofed email pretending to be you gets rejected. We'll go from nothing to a domain that's hard to impersonate.
The three records, in plain terms:
- SPF (Sender Policy Framework) lists which mail servers are allowed to send as your domain.
- DKIM (DomainKeys Identified Mail) cryptographically signs your outgoing mail so receivers can verify it really came from you.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving systems what to do when a message fails SPF or DKIM, and sends you reports on who is sending as you.
Before you start
- Access to your DNS host (where your domain lives, like GoDaddy or Cloudflare).
- Microsoft 365 admin access.
- A list of every service that sends email as your domain.
Step 1: Inventory your senders
Write down everything that sends mail as your domain: Microsoft 365 itself, your marketing platform, your CRM, your ERP, the copier's scan-to-email, your helpdesk tool. You need each one because they all have to be accounted for in SPF and DKIM, or their mail starts failing once you tighten the rules. This list is the whole job; the records are easy once you have it.
Step 2: Set up SPF (one record, carefully)
- In your DNS host, create or edit a single TXT record on your root domain.
- Start with Microsoft 365 and add each vendor's published include. A typical value:
v=spf1 include:spf.protection.outlook.com include:<your-vendor-include> ~all. - Two hard rules: you may have only one SPF record, and it must stay under ten DNS lookups total or it fails. Start the ending with
~all(soft fail) while you verify, and tighten to-all(hard fail) later.
Step 3: Turn on DKIM in Microsoft 365
- Go to the Microsoft Defender portal, then Email & collaboration, Policies & rules, Threat policies, Email authentication settings, DKIM.
- Select your domain. Microsoft will give you two CNAME records (selector1 and selector2).
- Add both CNAMEs in your DNS host.
- Come back to the DKIM page and switch Sign messages for this domain to Enabled. Confirm it shows as signing.
Step 4: Turn on DKIM for your other senders
For each third-party tool from your inventory, enable DKIM in that tool's settings. It will hand you its own CNAME or TXT record to add in DNS. Do this for the marketing platform, CRM, and any high-volume sender.
Step 5: Start DMARC in monitor mode
- Create a TXT record at the host name
_dmarc.yourdomain.com. - Begin gently:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1. p=nonemeans "don't block anything yet, just report." This is the safe starting point, and skipping it is how people accidentally drop their own invoices.
Step 6: Read the reports and fix the stragglers
The rua address starts receiving daily aggregate reports (they're XML, so use a free DMARC reporting reader to make them legible). Look for legitimate senders that are failing, and fix them by adding their include to SPF or enabling their DKIM. Keep going until all your real mail passes.
Step 7: Tighten the screws, gradually
Once your legitimate mail reliably passes, ratchet up: move DMARC from p=none to p=quarantine (you can phase it with pct=25, then 50, then 100), and finally p=reject. Move SPF from ~all to -all. Now spoofed mail in your name gets quarantined or rejected.
Step 8: Verify
Send a test message to a Gmail account and check the message headers for spf=pass, dkim=pass, and dmarc=pass, or run your domain through a public checker. Three passes means you're done.
Never create a second SPF record (two records equals automatic failure). Don't jump straight to p=reject, you'll lose legitimate mail. And don't route bulk or application-generated mail through Microsoft 365; send it through a dedicated relay instead, or it drags down your reputation.
Where to take it next
With authentication solid, the natural follow-on is configuring Defender for Office 365 (Safe Links, Safe Attachments, and impersonation protection), which stops the phishing that authentication alone doesn't. If you'd like a second set of eyes on your DNS before you tighten DMARC, let's talk it through.