r/CloudFlare: Help with SPF and DKIM using office 365 when CLOUDFLARE is registrar

r/CloudFlare: Help with SPF and DKIM using office 365 when CLOUDFLARE is registrar
💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/wi5yrm/help_with_spf_and_dkim_using_office_365_when/

Question

hello I have purchased office 365 to get email using outlook. I am now stuck trying to configure the security records. My registrar is CLOUDFLARE. For the DKIM, I am using the CLOUDFLARE security wizard and it is asking for

Selector (and it states, Uniquely identify a DKIM a public key on this domain)

Content (Enter the DKIM record content from your email provider) My email provider is Microsoft 365

2) another question is can we set up the DKIM security in CLOUDFLARE using the wizard or will I have to set it up in office 365

Also trying to set up SPF and it is asking for IP addresses either IPV4 or IPV6, are those IP from my hosting provider ?

Also asking for domains you would like to include Here do I include the my domain ) ?

Thank you for any help

Answer

MS365/O365 is able to setup all domain DNS records for you when it detects that your domain nameservers are with Cloudflare.

It will tell you that is the case and give you an extra option to automatically do it. Since I assume you bought a Microsoft 365 Business Basic license, just select the Exchange Online + Online Protection service, and leave Skype for Business and Microsoft 365 Device Management off, since you won't be using those.

For DKIM, you have to go to security.microsoft.com and then, under the "Email & collaboration" category, open "Policies & rules". Then, on the right, go to "Threat policies" and you will find DKIM as the 8th option overall or the 3rd option under "Rules". After that, click on your domain, enable "Sign messages for this domain with DKIM signatures" and it will tell you the exact records you have to enter with Cloudflare. They will look like this: selector1-domain-tld._domainkey.365alias.onmicrosoft.com and selector2-domain-tld._domainkey.365alias.onmicrosoft.com. Enter those as CNAME's with Cloudflare in DNS, so Type is CNAME, Name is selector1._domainkey and selector2._domainkey respectively, Target is the names with onmicrosoft.com in it that it gave above, and Proxy status has to be DNS only.

DMARC is very advanced, don't worry about that for now. When you set up mail and DKIM successfully, come back to me and I will generate the correct record for you.