Add DKIM and DMARC for onmicrosoft.com domain in Microsoft 365

You should secure every domain in Microsoft 365 with the authentication methods SPF, DKIM, and DMARC. Microsoft automatically configures the SPF record for the onmicrosoft.com domain but not the DKIM and DMARC records. It’s essential to configure both the records for the onmicrosoft.com domain. In this article, you will learn how to add the DKIM and DMARC records for the onmicrosoft.com domain.

Microsoft Online Email Routing Address (MOERA)

The Microsoft Online Email Routing Address (MOERA) domain is the onmicrosoft.com domain in Microsoft 365. By default, every Microsoft tenant comes with an onmicrosoft.com domain.

You should always protect every domain with these authentication methods:

• SPF record contains a list of authorized mail servers or IP addresses that are allowed to send emails on behalf of that domain. Microsoft configures, by default, the SPF record for the onmicrosoft.com (MOERA) domain. There is nothing that you have to add or change.

• DKIM verifies that the sender and message content are both authentic. Microsoft doesn’t automatically add it, therefore, you need to add the DKIM record for the onmicrosoft.com domain in Microsoft 365.

• DMARC improves email deliverability and security. Microsoft doesn’t automatically add the DMARC record, so you need to add the record for the onmicrosoft.com domain in Microsoft 365.

Add DKIM for onmicrosoft.com domain

DKIM stands for Domain Keys Identified Mail and is an email authentication protocol. DKIM consists of two selectors, so you need to add them both.

To add DKIM for your onmicrosoft.com domain, follow these steps:

1. Sign in to Microsoft Defender
2. Click Email & collaboration > Policies & rules
3. Click Threat Policies

4. Click Email authentication settings

5. Click the tab DKIM
6. Click your onmicrosoft.com domain
7. Select Enabled

It automatically adds the DKIM selector1 record for your onmicrosoft.com domain. You also need to add the DKIM selector2 record shown in the next step.

8. Click Rotate DKIM keys to automatically add DKIM selector2 record to the DNS records

Add DMARC for onmicrosoft.com domain

You also need to add the DMARC record for your onmicrosoft.com domain.

To add the DMARC TXT record for your onmicrosoft.com domain, follow these steps:

1. Sign in to Microsoft 365 admin center
2. Click Settings > Domains
3. Click onmicrosoft.com domain

4. Click DNS records
5. Click Add record
6. Select TXT (Text)
7. TXT name _dmarc
8. TXT value v=DMARC1; p=reject
9. TTL 1 hour
10. Click Save

The DMARC record is now added to the onmicrosoft.com domain, which you can check in the next step.

Verify DKIM and DMARC enabled for onmicrosoft.com domain

To verify you added the DKIM and DMARC records for your onmicrosoft.com domain, follow these steps:

1. Sign in to Microsoft 365 admin center
2. Click Settings > Domains
3. Click your onmicrosoft.com domain

4. Click DNS records
5. See the DMARC TXT record added under Custom records

6. Under Additional Microsoft Office 365 records
7. See the TXT record DKIM selector1 and selector2 for your onmicrosoft.com domain

That’s it!

Read more: How to find Microsoft 365 tenant domain name »

Conclusion

You learned how to add DKIM and DMARC records for the onmicrosoft.com domain in the Microsoft 365 admin center. Even if you don’t use the Microsoft Online Email Routing Address (MOERA) domain, you must always add both the DKIM and DMARC records for the domain. The SPF record is already configured, and you don’t have to do anything for that.

Did you enjoy this article? You may also like How to simulate spam mail. Don’t forget to follow us and share this article.