The more malicious varieties of email spoofing can cause serious problems and pose security risks; prevent email spoofing in your Office 365 tenant with these features

Office 365 offers multiple different services to prevent email spoofing and phishing emails in your tenant. I will be highlighting three specific services below. It is highly recommended to setup these services to cut down on unwanted emails and internal emails being flagged as spam internally and externally.

Sender Policy Framework (SPF)

An SPF is a TXT record that is manually added to your DNS record. A SPF record is used to identify your mail server as a safe sender. When someone receives an email from you, their mail server will check back to that DNS entry to confirm that the individual is safe. It is possible that without this validation the recipient’s settings may outright flag the message as insecure.

So how do you add a SPF record for your custom domain?

With an administrator logged into your DNS they will want to add a new TXT record. The TXT can be written multiple ways, but the most common scenario is that you are fully hosted in Office 365. If that is the case, you will want to add the following:

v=spf1 -all

If you are setup in a hybrid scenario there is more information that the record will require. For example, you will need the IP addresses for all on-premise message servers, as well as any third-party domains that need to be included. Microsoft provides a handy chart that lists the additional syntax’s you will need for your record.

spf table

DomainKeys Identified Mail (DKIM)

In conjunction with setting up your SPF record, you should also be using DKIM. This is another service that assists in helping to prevent spoofers from sending emails that appear to be coming from your domain. The main idea behind DKIM is that your email headers are encrypted by a private key that is published in your DNS record. When the recipient receives your email, it calls back to your DNS record to confirm it can decode that key. If confirmed it means that the email did legitimately come from your domain, thus being marked safe.

So how do I setup DKIM?

DKIM will actually already be setup for your original Office 365 domain (, but any custom domains will need to be added manually to your DNS record and then enabled in the Exchange Admin Center. For your custom domains, you will need to setup two CNAME records for each custom domain.

Here is the format for the CNAME records:

Host Name: selector1._domainkey.<domain>

Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain>

TTL: 3600


Host Name: selector2._domainkey.<domain>

Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain>

TTL: 3600

The domainGUID will need to be the same as the domainGUID in your MX record for that custom domain. It will appear before


Example: You have an initial domain of and a custom domain of

Host Name:

Points to address or value:

TTL: 3600


Host Name: selector2._domainkey.

Points to address or value: selector2-

TTL: 3600

Once the CNAME records have been added to each custom domain, you will need to login into your Office 365 admin portal.

  • On the left-hand pane, click Admin Centers and then Exchange.

Admin Center Screenshot

  • On the left-hand pane click Protection, then on the tab at the top, click DKIM.

DKIM screenshot

  • Select the domain and click Enable.

DKIM screenshot

PowerShell command (alternate method):

New-DkimSigningConfig -DomainName -Enabled $true

Domain-based Message Authentication, Reporting and Conformance (DMARC)

The final piece of the puzzle is DMARC which also authenticates the sender and helps to ensure that messages from your domain are trusted at their destination. The main purpose of DMARC though is to set a policy that determines what to do with the mail if it fails its authentication with DKIM or SPF.

How do I setup DMARC?

Well DMARC is setup automatically by Office 365 for inbound mail, so there is no extra needed configuration on that end. For outbound mail, you will need to create the following TXT record and add it to your DNS record:

_dmarc.domain TTL IN TXT “v=DMARC1; pct=100; p=policy

Domain = Your custom domain name (ex.

TTL = Should equal one hour (3600 seconds)

pct = If set to 100, the rule will be used for 100% of email

policy = The action that will be taken if DMARC fails.

This can be setup to none, quarantine, or reject

Example: 3600 IN TXT “v=DMARC1; pct=100; p=quarantine

Once set it is best practice to oversee the impact the policy has on inbound mail. You can adjust the TXT record as necessary to accommodate your needs.

For more information regarding SPF, DKIM, and DMARC please read the following Microsoft articles:

Set up SPF in Office 365 to help prevent spoofing

Use DKIM to validate outbound email sent from your custom domain in Office 365

Use DMARC to validate email in Office 365

Was this article helpful?