Microsoft 365 and email impersonation protection

Exchange Online sends your mail — DNS records at your domain still define who may impersonate you.

Microsoft vs. DNS

Microsoft 365 handles mailboxes and can sign mail with DKIM once enabled. SPF and DMARC live as DNS TXT records you control at your domain host.

Typical setup steps

  1. Enable DKIM for each domain in Microsoft 365 Defender / Exchange admin
  2. Publish the two CNAME or TXT records Microsoft provides
  3. Set SPF to include spf.protection.outlook.com (plus any other senders)
  4. Add DMARC with a policy that matches your risk tolerance

Verify your domain

Use our free check on your business domain to see whether SPF, DKIM, and DMARC are actually published — not just enabled inside Microsoft.

Frequently asked questions

We use GoDaddy DNS with M365 — who edits records?

Usually whoever administers GoDaddy (or your DNS provider) publishes SPF, DKIM, and DMARC using values from Microsoft.

Check my domain