Skip to main content

Implementing SPF DKIM & DMARC

This guide outlines how to implement SPF, DKIM, and DMARC within Microsoft 365 to improve email security and ensure messages are properly authenticated. These steps help prevent spoofing, phishing, and unauthorised email use of your school’s domain.

SPF was already in place for this school.

1. Accessing Microsoft 365 Security Settings

  1. Go to the Microsoft 365 Security portal:

https://security.microsoft.com

  1. In the left-hand menu, navigate to:

Policies & Rules > Threat Policies >  Email Authentication

  1. At the top of the page, select DKIM.

2. Configuring DKIM

  1. Click Create DKIM.
  2. Turn DKIM On.

You’ll receive an error message containing two CNAME records that need to be added to your domain’s DNS.

  1. Copy these records and add them to your DNS hosting provider.

In our case, we used Cloudflare.

Example CNAME Records:

Record Name

Points To

selector1._domainkey.YOURDOMAIN.com

selector1-YOURDOMAIN._domainkey.shawprimarythurrocksch.onmicrosoft.com

selector2._domainkey.YOURDOMAIN.com

selector2-YOURDOMAIN._domainkey.shawprimarythurrocksch.onmicrosoft.com

Note: Replace YOURDOMAIN with your actual domain name.

  1. Once the records are added, return to the DKIM page in Microsoft 365 and enable DKIM again.
  • It can take anywhere from a few minutes to up to 4 days for the records to propagate and validate.

3. Creating a DMARC Record

We used MXToolbox to generate our DMARC record. Their record generator makes it easy to create a basic configuration.

  1. Go to https://mxtoolbox.com/DMARCRecordGenerator.aspx
  2. Create a new TXT record on your DNS with the name:

_dmarc.YOURDOMAIN.com

  1. Enter the following value (example configuration in reporting mode):

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

  1. We recommend creating a dedicated mailbox such as [email protected] to receive these reports.

The p=none policy places DMARC in reporting mode. Once you confirm all records are working as expected, you can change this to p=quarantine or p=reject to actively protect your domain.

4. Verification and Testing

After creating and saving your DNS records, use the following tools to verify that everything is set up correctly:

Check SPF, DKIM, and DMARC status.

Verify DNS propagation across global servers.

5. Summary

Implementing SPF, DKIM, and DMARC is a critical step in protecting your school or business email domain.

Back to top