This article covers the SPF and DKIM authentication processes for Microsoft Office 365 and how they are managed in Valimail. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.

All the accepted domains of your tenant will be shown in the Microsoft 365 Defender portal under the DKIM page. If you do not see it, add your accepted domain from domains page. Once your domain is added, follow the steps as shown below to configure DKIM.

Step 1: On the DKIM page, select the domain you wish to configure.

Step 2: Slide the toggle to Enable. You will see a pop-up window stating that you need to add CNAME records.

Step 3: Copy the CNAMES shown in the pop up window.

Step 4: Publish the copied CNAME records to your DNS service provider.

Important: If you manage DKIM in Valimail, you will need to add the resulting 2 CNAME keys on your domain's Configuration page in Valimail Enforce.

Step 5: Return to DKIM page to enable DKIM.

You can also find the instructions on how to turn on DKIM in M365 for you domain, here.

You can find more detailed information on how to add a DKIM key in Valimail, here:

Once you establish that Microsoft Office 365 is an authorized sender for your domain, you will need to add the service in your Enabled Senders.

You will find more detailed information on how to add a service for your domain in Valimail, here:

Note: We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.

Note: You may notice that M365 emails are not authenticated via SPF, even after you have added M365 to your domain's configuration. This is likely caused by M365 not sending SPF aligned-mail and can be corrected by making sure SPF alignment for your domain has been turn on in M365.

You can find out more details on how to make sure SPF alignment is enabled for your domain in Microsoft Office 365, here.