Microsoft 365 differs from Google in one key way: DKIM uses two CNAME records, not a TXT record. Here’s the full setup.
1. SPF (TXT at root)
v=spf1 include:spf.protection.outlook.com -all
One SPF record only; mind the 10-lookup limit if you add other senders.
2. DKIM (two CNAMEs, then enable)
Add these CNAMEs (replace the right-hand side with the exact values from the Microsoft 365 Defender portal for your tenant):
selector1._domainkey → selector1-<tenant>._domainkey.<tenant>.onmicrosoft.com
selector2._domainkey → selector2-<tenant>._domainkey.<tenant>.onmicrosoft.com
Then in Microsoft Defender → Email & collaboration → Policies → Email authentication → DKIM, select your domain and Enable signing.
3. DMARC (TXT at _dmarc)
v=DMARC1; p=none; rua=mailto:you@yourdomain.com
Monitor, then run the none → reject migration.
4. Verify
Run the checker — for DKIM, enter selector selector1. All three should pass. Confirm a
real message in the header analyzer. If DKIM shows none, the
CNAMEs are wrong or signing isn’t enabled yet.