Fix guide

How to Fix DMARC Alignment for Microsoft 365

Fix M365 DMARC here: publish Microsoft’s two DKIM CNAMEs so signatures use your domain, not theirs.

Why M365 trips DMARC

Microsoft signs with their hostname until you publish selector1/selector2 CNAMEs — then DKIM can align with your From: line. Keep SPF honest with include:spf.protection.outlook.com.

Exact DNS records (pattern)

Values are tenant-specific — copy from Defender. Typical pattern:

selector1._domainkey.yourdomain.com → CNAME → selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com selector2._domainkey.yourdomain.com → CNAME → selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Step-by-step fix

Step 1 Microsoft 365 Defender → Email & collaboration → Policies & rules → Threat policies → DKIM

Step 2 Select your domain and click Create DKIM keys

Step 3 Copy the two CNAME records shown (selector1 and selector2)

Step 4 Add both CNAMEs to your DNS provider

Step 5 Return to Defender and enable DKIM signing for the domain

Step 6 Run DNS Preflight to confirm alignment passes

Verify alignment and DNS in your browser

Open DNS Preflight →

Related glossary: DMARC · DMARC alignment · DKIM · SPF record

FAQ

Why does Microsoft 365 fail DMARC alignment?

Because out of the box they sign as Microsoft, not you — add selector1 + selector2 CNAMEs so signatures use your domain.

What are the exact CNAME values for M365 DKIM?

Copy them from Defender → DKIM — they look like selector1-yourdomain._domainkey.tenant.onmicrosoft.com.

I added the CNAMEs but DKIM still fails — why?

You still need to flip DKIM on in Defender — DNS alone doesn’t enable signing.

Does Microsoft 365 SPF alignment work automatically?

Yes when SPF lists Outlook’s include and your From: domain matches the tenant domain.

How do I verify M365 DMARC alignment is working?

DNS Preflight checks those CNAMEs and alignment in one pass.

← All DMARC fix guides

Open DNS Preflight and re-check your zone →