Email Authentication
Configure and manage email authentication protocols (SPF, DKIM, DMARC) for your domains in Exchange Online. Email authentication verifies that messages are legitimately sent from your domain and prevents spoofing.
Note: Proper email authentication is essential for deliverability and security. Messages failing authentication are more likely to be marked as spam or rejected by receiving servers.
Authentication Protocols
SPF (Sender Policy Framework)
DNS TXT record that lists authorized sending IP addresses for your domain:
- Specifies which mail servers can send email for your domain
- Receiving servers check the sending IP against your SPF record
- Results: Pass, Fail, SoftFail, Neutral, None
DKIM (DomainKeys Identified Mail)
Cryptographic signature added to outgoing messages:
- Private key signs the message on the sending server
- Public key published in DNS for verification
- Proves message was not modified in transit
- Exchange Online signs with two DKIM keys per domain
DMARC (Domain-based Message Authentication)
Policy that tells receiving servers what to do when SPF and DKIM fail:
- Requires alignment between From domain and authenticated domain
- Policies: none (monitor), quarantine, reject
- Sends aggregate reports to specified email address
DNS Record Configuration
SPF Record
| Component | Value | Purpose |
|---|---|---|
| v=spf1 | Required | SPF version identifier |
| include:spf.protection.outlook.com | Required | Microsoft 365 sending IPs |
| Additional includes | Optional | Third-party services |
| -all or ~all | Required | Fail or softfail for unauthorized |
DKIM Records
Two CNAME records required per domain:
- selector1._domainkey — Points to selector1-domain._domainkey.tenantname.onmicrosoft.com
- selector2._domainkey — Points to selector2-domain._domainkey.tenantname.onmicrosoft.com
DMARC Record
TXT record at _dmarc.yourdomain.com:
- v=DMARC1 — Version identifier
- p= — Policy (none, quarantine, reject)
- rua= — Aggregate report destination
- pct= — Percentage of messages to apply policy to
Authentication Status
| Status | SPF | DKIM | DMARC |
|---|---|---|---|
| Configured | DNS record exists | CNAME records published | TXT record exists |
| Enabled | Correct include statements | Signing enabled in admin | Policy set |
| Aligned | Envelope matches From | Signing domain matches From | Both aligned |
Enabling DKIM
- Add CNAME records — Publish the two DKIM CNAME records in your DNS.
- Wait for propagation — DNS changes may take up to 48 hours.
- Enable signing — Turn on DKIM signing in the Microsoft 365 admin center.
- Verify — Send test emails and check DKIM headers in received messages.
Best Practices
- Configure all three protocols — SPF, DKIM, and DMARC work together for comprehensive authentication.
- Include all sending sources in SPF — Missing sources cause SPF failures.
- Enable DKIM signing — DKIM survives forwarding unlike SPF.
- Start DMARC at p=none — Monitor before enforcing to avoid blocking legitimate email.
API Reference
GET /api/exchange/email-authentication/:domain
Get authentication status for domain
POST /api/exchange/dkim/:domain/enable
Enable DKIM signing
GET /api/exchange/dkim/:domain/status
Get DKIM configuration status
GET /api/exchange/authentication-report
Get authentication pass/fail statistics