Articles on: Email Campaigns

Email Authentication for Outlook (DNS, SPF & DKIM)



A Simple Guide to Email Authentication for Outlook (SPF & DKIM)


Think of sending an email like sending a package. Without the right labels and verification, the postal service might get suspicious and either throw it in a "junk" pile or return it to the sender. SPF and DKIM are like the official seals and verified return addresses for your emails.


  • What is DNS? Your Domain Name System (DNS) is like the internet's address book. It's where you tell the world which servers are allowed to send emails for your company's domain (e.g., yourcompany.com). You'll be adding some special notes (called DNS records) to your company's address book entry.


  • What is SPF? The "Approved Senders' List." Sender Policy Framework (SPF) is a DNS record that lists all the mail servers that are officially allowed to send emails on behalf of your domain. It's like telling the world, "Only trust emails sent from these specific post offices." For Outlook, this means you're telling everyone that Microsoft's servers are on your approved list.


  • What is DKIM? The "Tamper‑Proof Seal." DomainKeys Identified Mail (DKIM) adds a unique, invisible digital signature to every email you send. Receiving mail servers can check this signature to verify that the email actually came from you and that its contents weren't altered along the way. It's like putting a special holographic seal on your package that proves it's authentic and hasn't been opened.


How to Set It Up (Step‑by‑Step)


You will need access to wherever your company manages its domain name (this is often called the DNS hosting provider or domain registrar—common ones are GoDaddy, Cloudflare, Namecheap, etc.).


Step 1: Configure Your SPF Record


This is the most critical step for deliverability.


  1. Log in to your Domain Host: Go to your domain registrar's website and navigate to the DNS management section. You should see a list of your existing DNS records (like A records, CNAME, MX, etc.).
  2. Find or Create a TXT Record for SPF:
  • If you already have an SPF record: Look for an existing TXT record that starts with v=spf1. You must edit this one record. Do not create a second one.
  • If you don't have one: You will need to create a new TXT record.
  1. Add the Outlook Information:
  • Host/Name: Set this to @ (which usually means your main domain).
  • Value: This is the important part. You need to include Microsoft's servers.
    • For a new record: The value should be: v=spf1 include:spf.protection.outlook.com -all
    • For an existing record: Add include:spf.protection.outlook.com right before the ~all or -all part. For example, if your record is v=spf1 include:some-other-service.com -all, you would change it to:

v=spf1 include:some-other-service.com include:spf.protection.outlook.com -all

  1. Save the Record: Save your changes. It can take anywhere from a few minutes to 24 hours for the changes to take effect across the internet.


Step 2: Configure Your DKIM Records


DKIM tells receiving servers that you've digitally signed your emails. For Outlook/Microsoft 365, this is a two-part process.


Part A: Get Your DKIM Information from Microsoft


  1. Sign in to the Microsoft 365 Defender Portal: Go to security.microsoft.com.
  2. Navigate to Email & collaboration > Policies & rules > Threat policies > DomainKeys Identified Mail (DKIM).
  3. Select your custom domain name (e.g., yourcompany.com).
  4. In the window that opens, click Create DKIM keys.
  5. A pop‑up will appear with the exact values you need to create two CNAME records. Copy these values or keep this window open. They will look something like this:
  • Host: selector1._domainkey

Points to: selector1-yourdomain-domainkey.yourtenant.onmicrosoft.com

  • Host: selector2._domainkey

Points to: selector2-yourdomain-domainkey.yourtenant.onmicrosoft.com


Part B: Add the CNAME Records to Your DNS


  1. Go back to your Domain Host's DNS management page.
  2. Create Two New CNAME Records:
  • Record 1:
    • Type: CNAME
    • Host/Name: Paste the first host value from Microsoft (e.g., selector1._domainkey).
    • Value/Points to: Paste the first "points to" address from Microsoft.
  • Record 2:
    • Type: CNAME
    • Host/Name: Paste the second host value (e.g., selector2._domainkey).
    • Value/Points to: Paste the second "points to" address.
  1. Save the Records.


Part C: Enable DKIM in Microsoft Defender


  1. Wait a little while for the DNS records you just added to be recognized (this can take up to an hour).
  2. Go back to the DKIM page in the Microsoft 365 Defender portal.
  3. Select your domain again.
  4. You should now be able to toggle on "Sign messages for this domain with DKIM signatures." If it gives an error, the DNS records haven't been detected yet, so just wait a bit longer and try again.


And that's it! Once both SPF and DKIM are set up, your emails sent from Outlook will be properly authenticated, which will significantly improve your deliverability and protect your brand's reputation.


Updated on: 07/10/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!