DDMARC

Documentation

Learn how to integrate and use DDMARC

Docs/Integrations/Microsoft 365
5 minutesOfficial

Microsoft 365 Integration

Connect your Microsoft 365 tenant to automate DKIM configuration, discover email sources, and streamline authentication management.

What You Can Do

Automatic DKIM Setup

DDMARC can automatically configure DKIM signing for your Microsoft 365 domains.

Mailbox Discovery

Discover all mailboxes and aliases sending email on your domain.

Transport Rule Analysis

Review transport rules that may affect email authentication.

User Provisioning

Automatically sync users from Azure AD for team management.

Prerequisites

  • • Microsoft 365 subscription (Business Basic or higher)
  • • Global Administrator or Exchange Administrator role
  • • Domain verified in Microsoft 365 admin center

Setup Instructions

1

Navigate to Integrations

In your DDMARC dashboard, go to Settings → Integrations and find the Microsoft 365 card.

Dashboard → Settings → Integrations → Microsoft 365 → Connect
2

Authorize with Microsoft

Click Connect Microsoft 365 to start the OAuth flow. You will be redirected to Microsoft to sign in and authorize DDMARC.

Permissions requested:

  • Mail.ReadRead mail flow data and message headers
  • Domain.Read.AllRead domain configuration and DNS settings
  • Organization.Read.AllRead organization profile and settings
  • User.Read.AllRead user profiles for team sync
3

Select Domains

After authorization, DDMARC will show all domains in your Microsoft 365 tenant. Select which domains you want to manage with DDMARC.

Domains are synced automatically every 24 hours
4

Configure DKIM (Optional)

DDMARC can automatically enable and configure DKIM signing for your domains. Click Enable DKIM next to each domain to set it up.

Automatic DNS Configuration

DDMARC will generate the required CNAME records. If your DNS is managed by Microsoft, we can add them automatically.

Microsoft 365 DKIM Records

Microsoft 365 uses CNAME records for DKIM instead of TXT records. Here is the format:

DKIM CNAME Records
Record 1:
selector1._domainkey.example.com → selector1-example-com._domainkey.example.onmicrosoft.com
Record 2:
selector2._domainkey.example.com → selector2-example-com._domainkey.example.onmicrosoft.com

Replace example.com with your domain and example in the onmicrosoft.com subdomain with your tenant name (dots replaced with dashes).

Troubleshooting

Authorization fails with permission error

Ensure you are signing in with a Global Administrator or Exchange Administrator account.

Domains not appearing after connection

Verify the domains are verified in Microsoft 365 admin center. Unverified domains won't appear.

DKIM enable fails

Check if DKIM is already enabled in Exchange admin center. Disable it there first, then enable through DDMARC.

DNS records not propagating

CNAME records can take up to 48 hours to propagate. Use a DNS checker tool to verify.

Microsoft Documentation

Set up DKIM in Microsoft 365Email authentication in Microsoft 365Microsoft Graph API permissions

Next Steps

Google Workspace Integration

Connect your Google Workspace tenant

Set Up Alerts

Configure notifications for important events