Guide
SPF, DKIM, and DMARC for Microsoft 365 senders
Last updated July 1, 2026
Email authentication is how receiving servers confirm your newsletter really came from your domain and was not forged. Microsoft 365 relies on three standards that work together. Configure all three for every custom domain you send from; Microsoft notes that anything less results in substandard protection.
The three standards
- SPF (Sender Policy Framework) lists the servers allowed to send mail for your
domain, as a TXT record at your DNS host. For Microsoft 365 domains, Microsoft
recommends ending the record with
-all(hard fail). - DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message that survives forwarding, so receivers can verify the message was not altered. You enable it with CNAME records and the Microsoft Defender portal.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receivers what to do with mail that fails SPF and DKIM, and where to send reports. A message passes DMARC if SPF or DKIM passes and aligns with the From domain.
The order that matters
Set them up in this order, because DMARC depends on the other two:
- SPF for each custom domain and subdomain you send from.
- DKIM signing using your custom domain.
- DMARC, starting at
p=noneto monitor with theruaandrufreporting addresses, thenp=quarantine, thenp=rejectonce your legitimate mail passes cleanly.
A useful tip from Microsoft: for mail from services outside your direct control, use a subdomain (for example marketing.contoso.com) so any issues do not affect the reputation of your main domain. Each subdomain needs its own SPF and DKIM.
How this applies to SimpleNewsletter365
Because SimpleNewsletter365 sends through your own Microsoft 365 mailbox rather than a separate sending service, your existing SPF, DKIM, and DMARC for the domain apply automatically. There is no third-party sending service to add to your SPF record, which is one less way for authentication to break.
Related guides
- How to improve newsletter deliverability on Microsoft 365
- How to send a newsletter from Microsoft 365
Sources
- Email authentication in cloud organizations (Microsoft Learn)
- Set up SPF for Microsoft 365 (Microsoft Learn)
- Set up DKIM for Microsoft 365 (Microsoft Learn)
- Set up DMARC for Microsoft 365 (Microsoft Learn)
Frequently asked questions
Do I need SPF, DKIM, and DMARC to send newsletters from Microsoft 365?
To land reliably in the inbox, yes. SPF, DKIM, and DMARC are interdependent standards that prove your mail is genuine. Microsoft recommends configuring all three for every custom domain you send from; anything less gives substandard protection against spoofing.
In what order should I set up SPF, DKIM, and DMARC?
Configure them in this order, SPF first, then DKIM, then DMARC. DMARC relies on the results of SPF and DKIM, so it should be added last, starting with a monitoring policy.
What DMARC policy should I use?
Start with p=none to monitor, using the rua and ruf reporting addresses, then move to p=quarantine, and finally p=reject once you have confirmed your legitimate mail passes. Microsoft recommends reaching p=reject for all custom domains.
Does SimpleNewsletter365 change my email authentication?
No. Because SimpleNewsletter365 sends through your own Microsoft 365 mailbox, your existing SPF, DKIM, and DMARC for the domain apply automatically. You do not add a new sending service to your SPF record.