While Microsoft handles the SPF record for your onmicrosoft.com domain, DKIM and DMARC require separate configuration. This guide will show you how to add these important records to enhance your email security.


Every Microsoft 365 tenant has a built-in email address ending in onmicrosoft.com, known as the Microsoft Online Email Routing Address (MOERA) domain. This domain is essential for your email functionality, but it's important to secure it with additional authentication methods beyond the default SPF record provided by Microsoft. Here's why:

  • Enhanced Email Security: Implementing DKIM and DMARC alongside SPF strengthens your email authentication, making it harder for phishers to spoof your onmicrosoft.com domain.
  • Reduced Spam and Phishing: With proper authentication, email recipients can verify the legitimacy of emails sent from your organization, minimizing the risk of spam and phishing attacks.


DMARC improves email deliverability and security. Microsoft doesn’t automatically add the DMARC record, so you need to add the record for the onmicrosoft.com domain in Microsoft 365.



Add DKIM for onmicrosoft.com domain


DKIM stands for Domain Keys Identified Mail and is an email authentication protocol. DKIM consists of two selectors, so you need to add them both.


To add DKIM for your onmicrosoft.com domain, follow these steps:


  1. Sign in to Microsoft Defender
  2. Click Email & collaboration > Policies & rules
  3. Click Threat Policies
  4. Click Email authentication settings
  5. Click the tab DKIM
  6. Click your onmicrosoft.com domain
  7. Select Enabled




It automatically adds the DKIM selector1 record for your onmicrosoft.com domain. You also need to add the DKIM selector2.


Click Rotate DKIM keys to automatically add DKIM selector2 record to the DNS records.


Add DMARC for onmicrosoft.com domain


You also need to add the DMARC record for your onmicrosoft.com domain.


To add the DMARC TXT record for your onmicrosoft.com domain, follow these steps:


  1. Sign in to Microsoft 365 admin center
  2. Click Settings > Domains
  3. Click onmicrosoft.com domain



  1. Click DNS records
  2. Click Add record
  3. Select TXT (Text)
  4. TXT name _dmarc
  5. TXT value v=DMARC1; p=reject (or as per your requirement p=none or p=quarantine)
  6. TTL 1 hour
  7. Click Save