Troubleshooting
Email Authentication Checks: DKIM, DMARC, and SPF
Cloud Capsule checks DKIM, DMARC, and SPF for all domains including .onmicrosoft.com, and this article explains what each check looks for, why records that appear correct may still fail, and how to remediate each one.
Email Authentication Checks: DKIM, DMARC, and SPF
Cloud Capsule checks each connected tenant for DKIM, DMARC, and SPF configuration as part of its email security assessment. This article explains what each check looks for, why a control may show as failing even when DNS records appear to be in place, and how to remediate each one.
What Cloud Capsule Checks
For each connected tenant, Cloud Capsule evaluates the following across all domains, including .onmicrosoft.com domains:
| Check | What We Look For | Fail Condition |
|---|---|---|
| DKIM | DKIM signing is enabled for each accepted domain in Exchange Online | Status is Not signing DKIM signatures for this domain |
| DMARC | A DMARC record exists and the policy is set to p=quarantine or p=reject |
No DMARC record exists, or policy is set to p=none |
| SPF | A valid SPF TXT record exists for each accepted domain | No SPF record exists, or the record does not include Exchange Online |
Why a Control May Show as Failing When DNS Looks Correct
The most common reason a DMARC check fails despite a record being present is that the policy is set to p=none. Cloud Capsule requires a policy of p=quarantine or p=reject to pass this control. A p=none policy means DMARC is in monitoring mode only and does not enforce any action on failing messages, which does not meet the security threshold for a passing result.
DNS propagation can also cause a control to show as failing shortly after records are added or updated. Allow up to 48 hours for changes to propagate, then re-run the assessment to confirm the updated result.
How to Fix DKIM
Step 1: Check current DKIM status in Microsoft 365 Defender
- Navigate to Microsoft 365 Defender.
- Expand Email & collaboration > Policies & rules > Threat policies.
- Under the Rules section, click Email authentication settings.
- Select DKIM.
- Click each domain and confirm that Sign messages for this domain with DKIM signatures is set to Enabled.
To verify via PowerShell, connect to Exchange Online using Connect-ExchangeOnline and run Get-DkimSigningConfig. Confirm that Enabled is set to True for each domain.
Step 2: Add DKIM DNS records (if not already present)
For each accepted domain in Exchange Online, add two CNAME records to your DNS provider:
| Host Name | Points To | TTL |
|---|---|---|
selector1._domainkey |
selector1-domainGUID._domainkey.tenantname.onmicrosoft.com |
3600 |
selector2._domainkey |
selector2-domainGUID._domainkey.tenantname.onmicrosoft.com |
3600 |
Replace domainGUID with the value from your domain's MX record that appears before .mail.protection.outlook.com. For example, if your MX record points to contoso-com.mail.protection.outlook.com, your domainGUID is contoso-com.
Step 3: Enable DKIM signing in Defender
- Return to Email authentication settings > DKIM in Microsoft 365 Defender.
- Click each domain and select Enable next to Sign messages for this domain with DKIM signatures.
For full Microsoft guidance, see Configure DKIM in Microsoft 365.
How to Fix DMARC
DMARC implementation is a multi-stage process. Starting with p=none allows you to collect reporting data without affecting mail flow. Once you have reviewed your aggregate reports and confirmed all legitimate mail sources are covered by SPF and DKIM, progress to p=quarantine and then p=reject.
| Stage | Policy | Effect | Cloud Capsule Result |
|---|---|---|---|
| 1 | p=none |
Monitoring only, no action on failing messages | Fail |
| 2 | p=quarantine |
Failing messages sent to spam or quarantine | Pass |
| 3 | p=reject |
Failing messages rejected outright | Pass |
For custom domains: Add the following TXT record to your DNS provider for each accepted domain:
| Field | Value |
|---|---|
| Name | _dmarc.yourdomain.com |
| Type | TXT |
| Value | v=DMARC1; p=none; rua=mailto:rua-report@example.com; ruf=mailto:ruf-report@example.com |
For .onmicrosoft.com domains: DMARC records for .onmicrosoft.com domains are added through the Microsoft 365 admin center rather than an external DNS provider. Follow these steps:
- Navigate to the Microsoft 365 admin center.
- Expand Settings and select Domains.
- Select your tenant domain, for example
contoso.onmicrosoft.com. - Select DNS records and click + Add record.
- Add a new TXT record with the name
_dmarcand the appropriate DMARC values outlined above.
For full Microsoft guidance, see Configure DMARC in Microsoft 365.
How to Fix SPF
For each Exchange Online accepted domain, add the following TXT record to your DNS provider:
| Field | Value |
|---|---|
| Type | TXT |
| Value | v=spf1 include:spf.protection.outlook.com -all |
If your domain sends email from sources other than Exchange Online, such as a third-party marketing platform or on-premises mail server, you will need to include those sources in your SPF record as well. Only one SPF TXT record is permitted per domain.
For full Microsoft guidance, see Configure SPF in Microsoft 365.
When to Contact Support
If a DKIM, DMARC, or SPF control is still showing as failing after completing the steps above and you have confirmed the DNS records are propagated, please contact support with the following:
- The name of the affected tenant
- The domain the check is failing for
- A screenshot of the current DNS records for that domain
- A screenshot of the failing control in Cloud Capsule
Email: support@cloudcapsule.io
In-app: Navigate to Support and open a new ticket.