SPF, DKIM and DMARC are the three records that keep Microsoft 365 email trustworthy. If they are not aligned correctly, you can see spoofing risk, poor inbox placement and unnecessary delivery problems.
What each record does
- SPF lists which servers can send mail for your domain.
- DKIM signs messages so receiving systems can verify integrity.
- DMARC tells receivers what to do when mail fails authentication.
Microsoft 365 setup flow
- Confirm the domain inside Microsoft 365.
- Publish the SPF record with the correct Microsoft 365 include.
- Enable DKIM signing for the domain.
- Set a DMARC policy that matches your rollout stage.
- Monitor reports and adjust if legitimate mail is failing.
Common mistakes to avoid
- Publishing duplicate SPF records.
- Turning on a strict DMARC policy too early.
- Forgetting third-party senders like billing tools or marketing platforms.
- Skipping validation after DNS propagation.
Related Microsoft 365 guides
Frequently asked questions
Why do SPF, DKIM and DMARC matter for Microsoft 365?
They improve trust, reduce spoofing risk and help legitimate email reach inboxes more reliably.
Should DMARC start in quarantine or reject mode?
Most businesses begin with monitoring or quarantine and move to stricter enforcement after validation.
Can Cloudfy configure the records for us?
Yes. Cloudfy can manage the DNS work and verify the results after propagation.
Need email authentication setup?
Start with the Microsoft 365 business page and let Cloudfy handle the domain authentication path during rollout.
Go to Microsoft 365 for Business