Why DMARC Fails on Microsoft 365 (and How to Fix It)

Mar 14, 2026 · Joey · 4 min read

Why Is DMARC Failing on My Microsoft 365 Emails?

The most common reason DMARC fails on Microsoft 365 is that DKIM signing is not enabled for your custom domain. By default, Microsoft 365 signs outgoing email with DKIM using their own domain (onmicrosoft.com), not yours. SPF may pass, but unless the Return-Path is configured to match your domain, SPF alignment fails too — and DMARC fails entirely.

The good news: this is straightforward to fix once you know which settings to change.

The Three Common Causes

1. DKIM Is Signing with the Wrong Domain (Most Common)

Out of the box, Microsoft 365 uses yourtenant.onmicrosoft.com as the DKIM signing domain. Your emails show From: you@yourdomain.com, but the DKIM signature says d=yourtenant.onmicrosoft.com. Alignment fails.

How to check: Look at the email headers of a sent message:

DKIM-Signature: ... d=yourtenant.onmicrosoft.com; ...

If you see your onmicrosoft.com domain instead of your custom domain, this is the problem.

How to fix:

Go to Microsoft Defender → Email & collaboration → Policies & rules → Threat policies → DKIM
Select your custom domain
Add the required CNAME records to your DNS:

selector1._domainkey.yourdomain.com  CNAME  selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
selector2._domainkey.yourdomain.com  CNAME  selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Return to the DKIM settings page and enable DKIM signing for your domain
Microsoft will now sign outgoing email with d=yourdomain.com

2. SPF Record Is Missing or Incorrect

Microsoft 365 requires this SPF record for your domain:

v=spf1 include:spf.protection.outlook.com -all

If you are also using other sending services, merge them into a single record:

v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all

Common mistake: Having two separate SPF TXT records. DNS allows only one SPF record per domain — having two causes both to fail.

3. Hybrid Exchange or Mail Routing Issues

If you have a hybrid Exchange setup (on-premises + cloud) or use a third-party email gateway (e.g., Mimecast, Proofpoint), your mail routing may cause alignment issues:

On-premises servers may not sign with DKIM at all
Email gateways may modify messages, breaking DKIM signatures
Routing through multiple hops can change the envelope sender

Fix: Ensure DKIM signing happens at the last hop before the email reaches the internet. Most email gateways support re-signing with your domain's DKIM key.

Step-by-Step: Complete Microsoft 365 DMARC Setup

Step 1: Verify Your SPF Record

dig +short TXT yourdomain.com | grep spf

Confirm it includes include:spf.protection.outlook.com.

Step 2: Enable DKIM for Your Custom Domain

Follow the DKIM instructions above to add CNAME records and enable signing.

Step 3: Publish a DMARC Record

If you do not have a DMARC record yet, start with monitoring:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com"

Step 4: Send a Test Email and Verify Headers

Send an email to a Gmail or other external account and inspect the headers:

Authentication-Results:
  spf=pass (sender IP is X.X.X.X) smtp.mailfrom=yourdomain.com;
  dkim=pass header.d=yourdomain.com;
  dmarc=pass (p=none) header.from=yourdomain.com;

All three should show pass with your custom domain.

Step 5: Monitor and Enforce

Leave your DMARC policy at p=none for 2–4 weeks while monitoring reports. Once you confirm all legitimate email is passing, move to p=quarantine and eventually p=reject.

Edge Cases in Microsoft 365

Distribution groups and shared mailboxes — These use the same DKIM and SPF configuration as regular mailboxes. If DKIM is enabled for your domain, they will pass alignment.

Calendar invites and auto-replies — Microsoft 365 sends these from your domain by default. They should pass DMARC if DKIM is properly configured.

Power Automate and other M365 app emails — Some Microsoft services send email via different infrastructure. Check that these pass alignment in your DMARC reports. You may need to authorize additional IPs in SPF.

FAQ

Do I need a DMARC record before enabling DKIM in Microsoft 365?

No. DKIM and DMARC are independent. You can (and should) enable DKIM even without a DMARC record. DMARC builds on top of DKIM and SPF, but each functions on its own.

How long does it take for DKIM to start working in Microsoft 365?

After adding the CNAME records and enabling DKIM in the admin portal, it typically takes 15–30 minutes. DNS propagation for the CNAME records can take up to 48 hours, so add those first and wait for them to propagate before enabling DKIM in the portal.

Can I use Microsoft 365 DKIM with a third-party DNS provider?

Yes. Microsoft 365 does not require you to use Microsoft DNS. You just need to add two CNAME records to whatever DNS provider manages your domain (Cloudflare, Route 53, GoDaddy, etc.).

Why does DMARC pass for some recipients but fail for others?

This usually indicates an email forwarding issue on the recipient's side. When a message is forwarded, SPF breaks (the forwarding server's IP is not in your SPF record). If the forwarding service also modifies the message body, DKIM can break too. This is not something you can fix on your end — it is a known limitation of email forwarding.

← Back to Blog