Fix guide

How to Fix DMARC Alignment for Microsoft 365

Microsoft 365 DMARC alignment requires two CNAME records — selector1 and selector2 — added to your DNS. Without these, Microsoft signs email with their own domain instead of yours, causing DMARC alignment failures.

Why alignment fails

Without custom DKIM CNAMEs, messages may be signed in ways that don't align your From: domain. Pair this with a correct SPF record for Microsoft.

Exact DNS records (pattern)

Values are tenant-specific — copy from Defender. Typical pattern:

selector1._domainkey.yourdomain.com → CNAME → selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com selector2._domainkey.yourdomain.com → CNAME → selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Step-by-step fix

Step 1 Microsoft 365 Defender → Email & collaboration → Policies & rules → Threat policies → DKIM
Step 2 Select your domain and click Create DKIM keys
Step 3 Copy the two CNAME records shown (selector1 and selector2)
Step 4 Add both CNAMEs to your DNS provider
Step 5 Return to Defender and enable DKIM signing for the domain
Step 6 Run DNS Preflight to confirm alignment passes

Verify alignment and DNS in your browser

Open DNS Preflight →
Related glossary: DMARC · DMARC alignment · DKIM · SPF record

FAQ

Why does Microsoft 365 fail DMARC alignment?

By default M365 signs email using Microsoft's domain. You need to add selector1 and selector2 CNAME records so Microsoft can sign with your domain instead.

What are the exact CNAME values for M365 DKIM?

The values are in Microsoft 365 Defender → DKIM settings for your domain. They follow the pattern selector1-[domain]._domainkey.[tenant].onmicrosoft.com.

I added the CNAMEs but DKIM still fails — why?

You must also enable DKIM signing in the Defender portal after adding the CNAMEs. Adding the records alone is not enough.

Does Microsoft 365 SPF alignment work automatically?

Yes if you include include:spf.protection.outlook.com in your SPF record and your From: domain matches your M365 domain.

How do I verify M365 DMARC alignment is working?

Run DNS Preflight on your domain — the alignment engine checks selector1 and selector2 CNAMEs automatically and shows pass/fail.

← All DMARC fix guides

Run checks on domainpreflight.dev →