Microsoft 365 DMARC Not Working – Fix Domain Alignment and Policy (2026)

Learn the bigger picture in our Email Authentication Explained guide and compare SPF vs DKIM vs DMARC to understand how these protocols work together.

One-Minute Fix

Publish a valid DMARC policy at _dmarc.yourdomain, ensure Microsoft 365 DKIM is enabled for the custom domain, and verify SPF/DKIM alignment in real message headers.

v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r

Use monitoring first, then increase policy strength after alignment is consistently passing for all legitimate Microsoft 365 sending flows.

Free live DNS check. No signup required.

Wrong vs correct setup

From: alerts@example.com
DKIM-Signature: d=example.onmicrosoft.com; s=selector1;
_dmarc.example.com TXT "v=DMARC1; p=reject;"

From: alerts@example.com
DKIM-Signature: d=example.com; s=selector1;
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r"

Why this happens

DMARC on Microsoft 365 often fails when DKIM is technically enabled but domain alignment is not set up for the visible From identity. SPF paths can also align to a different return-path domain. DMARC requires at least one aligned authentication path, not just a pass result. Misaligned authentication paths often show up as DMARC alignment failures or a reporting address that never receives data.

Why this is a problem

If DMARC fails on Microsoft 365 traffic, receivers may downgrade trust or enforce quarantine/reject depending on policy. Legitimate corporate mail can be filtered inconsistently, while spoofing controls remain weaker than expected. Over time that can mean critical mail is treated like generic bulk, especially when multiple DMARC records or a misconfigured fo= tag confuse evaluation.

How this affects deliverability

Consistent DMARC alignment for Microsoft 365 helps preserve sender reputation and inbox placement for business-critical traffic. Misalignment increases spam risk and creates unstable enforcement behavior across providers. Over time, well-tuned DMARC aggregate reports and a clear policy stance are what help inbox providers separate your legitimate traffic from spoofing attempts.

Common causes

• DKIM was not fully enabled for the custom domain in Microsoft 365.
• SPF or DKIM authenticated a non-aligned domain.
• DMARC policy was enforced before alignment gaps were fixed.
• DNS propagation delays hid recent DMARC/DKIM corrections.

What we checked

We checked DMARC record validity and whether Microsoft 365 mail can provide aligned SPF or DKIM results for the visible From domain under current policy settings.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

Next steps

• Send a real Microsoft 365 message and inspect alignment in headers.
• Enable/verify DKIM for the exact custom domain in Microsoft 365.
• Publish or correct DMARC at _dmarc with p=none and rua reporting.
• Resolve failing sources shown in DMARC aggregate reports.
• Increase enforcement only after stable aligned pass rates.
• Review the full troubleshooting guidance in the DMARC Hub.
• Explore sender authorization issues in the SPF Hub.
• Check signing and selector issues in the DKIM Hub.

Related fixes

• DMARC alignment failed
• DMARC policy: none vs quarantine vs reject
• DMARC aspf and adkim explained
• DMARC record examples
• DMARC aggregate reports explained

Explore more issues

• DMARC record examples
• DMARC aggregate reports explained
• DMARC generator
• No DMARC record found
• Google Workspace DMARC not working
• SendGrid DMARC fail