SimpleNewsletter365

Guide

SPF, DKIM, and DMARC for Microsoft 365 senders

Last updated July 1, 2026

Email authentication is how receiving servers confirm your newsletter really came from your domain and was not forged. Microsoft 365 relies on three standards that work together. Configure all three for every custom domain you send from; Microsoft notes that anything less results in substandard protection.

The three standards

  • SPF (Sender Policy Framework) lists the servers allowed to send mail for your domain, as a TXT record at your DNS host. For Microsoft 365 domains, Microsoft recommends ending the record with -all (hard fail).
  • DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message that survives forwarding, so receivers can verify the message was not altered. You enable it with CNAME records and the Microsoft Defender portal.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receivers what to do with mail that fails SPF and DKIM, and where to send reports. A message passes DMARC if SPF or DKIM passes and aligns with the From domain.

The order that matters

Set them up in this order, because DMARC depends on the other two:

  1. SPF for each custom domain and subdomain you send from.
  2. DKIM signing using your custom domain.
  3. DMARC, starting at p=none to monitor with the rua and ruf reporting addresses, then p=quarantine, then p=reject once your legitimate mail passes cleanly.

A useful tip from Microsoft: for mail from services outside your direct control, use a subdomain (for example marketing.contoso.com) so any issues do not affect the reputation of your main domain. Each subdomain needs its own SPF and DKIM.

How this applies to SimpleNewsletter365

Because SimpleNewsletter365 sends through your own Microsoft 365 mailbox rather than a separate sending service, your existing SPF, DKIM, and DMARC for the domain apply automatically. There is no third-party sending service to add to your SPF record, which is one less way for authentication to break.

Sources

Frequently asked questions

Do I need SPF, DKIM, and DMARC to send newsletters from Microsoft 365?

To land reliably in the inbox, yes. SPF, DKIM, and DMARC are interdependent standards that prove your mail is genuine. Microsoft recommends configuring all three for every custom domain you send from; anything less gives substandard protection against spoofing.

In what order should I set up SPF, DKIM, and DMARC?

Configure them in this order, SPF first, then DKIM, then DMARC. DMARC relies on the results of SPF and DKIM, so it should be added last, starting with a monitoring policy.

What DMARC policy should I use?

Start with p=none to monitor, using the rua and ruf reporting addresses, then move to p=quarantine, and finally p=reject once you have confirmed your legitimate mail passes. Microsoft recommends reaching p=reject for all custom domains.

Does SimpleNewsletter365 change my email authentication?

No. Because SimpleNewsletter365 sends through your own Microsoft 365 mailbox, your existing SPF, DKIM, and DMARC for the domain apply automatically. You do not add a new sending service to your SPF record.