Setting up your domain in Microsoft 365 is a crucial step in enabling email services, security policies, and other Microsoft cloud features for your organization. Whether you’re migrating from another email provider or setting up a new domain, this guide will walk you through the process of adding and verifying your domain in Microsoft 365.
By the end of this guide, your domain will be fully integrated with Microsoft 365, ensuring that your email services are properly configured and functional.>
Requirements:
- Microsoft 365 Account
- Microsoft 365 User licensees
Log into Microsoft 365 go to Settings -> Domains -> Add Domain
Next, you’ll need to verify domain ownership by adding a TXT record to your DNS settings. Since Cloudflare is being used, Microsoft 365 provides a setup wizard that can automatically connect to your Cloudflare account and create the necessary records for you. However, if your DNS provider does not support this integration, you may need to add the records manually.
Once your domain has been verified, the next step is to configure the mail records. For this step, we will only set up Exchange and Exchange Online Protection and DomainKeys Identified Main (DKIM).
Once all records and been added and validated your mail server is setup. If all records are good you will see the healthy status near your domain.
DMIM and DARMAC
DKIM (DomainKeys Identified Mail) is an email authentication method that verifies a message was not altered during transit and was sent by an authorized domain. It works by adding a digital signature to the email header using a private cryptographic key. The recipient’s mail server retrieves the sender’s public key from DNS and uses it to validate the signature. If the signature is valid, it confirms the email’s source and integrity. DKIM helps prevent spoofing, ensures trust in email communication, and is often used alongside SPF and DMARC for stronger email authentication and protection against phishing.
Checking DKIM Status in Microsoft 365
In Windows Defender Portal under Policies & Rules > Threat policies > Email authentication settings Check the DomainKeys Identified Mail (DKIM) status.
Enabling DMARC
How DMARC works with DKIM.
DMARC uses DKIM (and/or SPF) to determine if an email is authentic.
When an email is received:
- The mail server checks the DKIM signature using the public key in DNS.
- If the DKIM check passes, it means the message is unaltered and comes from the domain that signed it.
- DMARC then checks alignment — the domain in the DKIM signature must match the domain in the “From” address.
- If DKIM is aligned and valid, DMARC passes, even if SPF fails.
- DMARC enforces this policy and can quarantine or reject failed messages.
DMARC Management with Cloudflare
When setting up a secure mail server using Microsoft 365, it’s essential to protect your domain from spoofing. Cloudflare makes managing DMARC easy through its Email Security tools. Once your domain is connected to Cloudflare, head to the DNS tab and add a DMARC record (type TXT, name _dmarc). Cloudflare also provides a user-friendly DMARC Management interface, allowing you to configure policies (none, quarantine, or reject) and set reporting addresses. These reports help you monitor who’s sending emails on behalf of your domain. Cloudflare even displays summarized DMARC data, giving you basic insights without needing third-party tools. For Microsoft 365, ensure that SPF and DKIM are already set up in your DNS. With DMARC added through Cloudflare, your email domain gains an extra layer of protection — ensuring only legitimate sources (like Microsoft 365) can send email, and helping prevent phishing attacks that impersonate your domain.
Enable DMARC Management in Cloudflare
Go to your Domain then Email and DMARC Management then click “Enable DMARC Management”
You will be prompted to add the TXT record once entered the management console will be available.
Our mail server is up and running using Microsoft 365 and an external check through MXToolbox verifys that our mail server is Microsoft 365
Our mail server is now operational with Microsoft 365, and an external verification using MXToolbox confirms that our mail server is correctly configured for Microsoft 365.
Summary
Once your domain is successfully added and verified in Microsoft 365, your mail server will be fully operational. An external check using MXToolbox can further confirm that your domain’s MX, SPF, and DKIM records are correctly configured.
With your domain now set up, you can move forward with configuring additional services, such as Teams, SharePoint, and security settings, to optimize your Microsoft 365 environment. If you run into any issues, double-check your DNS records and allow time for propagation.