This article covers the SPF and DKIM authentication processes for M365 and how they are managed in Valimail Enforce. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.


Configuring DKIM authentication for your M365 emails

1. Sign in to Office 365 using your admin account and choose Admin.

2. Once in the Admin center, expand Admin centers and choose Exchange.

3. Go to protection > dkim

4. Select the domain for which you want to enable DKIM and click on Enable. Repeat this step for each custom domain.

Note: If you haven't created the relevant CNAME records, you will need to do so as per these instructions here.

Creating the Office 365 DKIM records

When you provision a new domain name in Office 365, you will need to create two CNAME records for it so that it points to your initial domain.

The example below is set for example.onmicrosoft.com as the tenant domain in M365.

After example.onmicrosoft.com is provisioned in M365, you will need to publish the two CNAME records so that your domain example.com points to example.onmicrosoft.com:


Host: selector1._domainkey

Value: selector1-example-com._domainkey.example.onmicrosoft.com


Host: selector2._domainkey

Value: selector2-example-com._domainkey.example.onmicrosoft.com

Note: Please pay close attention to the domainGUID which does not use a full stop "." but a hyphen "-" instead.

The CNAME record value syntax will also pop up when you click on Enable DKIM from your Office 365 admin center.

The two CNAME records are needed so that Microsoft will rotate the two keys for added security.

Adding the M365 DKIM keys in Enforce

1. Please go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM keys.

    a. Scroll down and add the two DKIM keys in your configuration, by clicking on Add a DKIM key

    b. Enter the selector name, CNAME target value, associate the keys with Microsoft Office 365 and then click Add.

You can find more detailed information on how to add a DKIM key in Valimail Enforce here.

Enabling Office 365 DKIM signing

Once you have added the CNAME records (two per domain) in the Valimail Enforce platform, Office 365 DKIM signing can be enabled through the Office 365 admin center

Configuring SPF authentication for your M365 emails

Once you establish that Microsoft Office 365 is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.

1. Please go to your domain's Configuration page in Enforce.

2. Click on the + sign from the Enabled Senders section:

3. Choose Microsoft Office 365 from the list of configurable senders and then click Enforce:

We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.

You may notice that M365 emails are not authenticated via SPF, even after you have added M365 to your domain's configuration. This is likely caused by M365 not sending SPF aligned-mail and can be corrected by making sure SPF alignment for your domain has been turn on in M365.

Enable SPF alignment in M365 for your domain

You can find out more details on how to make sure SPF alignment is enabled for your domain in M365, here.

As always, if you have any questions, please don't hesitate to submit a ticket.