Adding DMARC, SPF, and DKIM records in Azure DNS

Before you start: confirm Azure answers your DNS

Azure DNS gives each zone four nameservers, one per top-level domain for resilience, looking like ns1-NN.azure-dns.com, ns2-NN.azure-dns.net, ns3-NN.azure-dns.org, and ns4-NN.azure-dns.info (the NN is a number assigned to your zone, not always 01). Confirm your domain is delegated to them:

dig +short NS yourdomain.com

If the answers end in azure-dns.*, follow the steps below. If not, your live DNS is answered elsewhere.

Step 1: Open the DNS zone

1. In the Azure portal search box at the top, enter DNS zones and select it from the results.
2. Select the zone for your domain. If you have several subscriptions, make sure it is the right zone instance, since each instance has its own nameservers.

Step 2: Add the record set

On the zone page, open the Record sets tab and choose + Add. The pane is titled Add a record set. Use @ in the Name field for the apex, or a prefix for everything else. Choose TXT as the Type, set a TTL with its unit (Seconds, Minutes, or Hours), and enter the value.

DMARC

Name:      _dmarc
Type:      TXT
TTL:       1  (unit: Hours)
Value:     v=DMARC1; p=none; rua=mailto:you@yourdomain.com

Start at p=none, then move past p=none once your reports are clean.

SPF

Name:      @
Type:      TXT
TTL:       1  (unit: Hours)
Value:     v=spf1 include:_spf.yourprovider.com ~all

Keep a single v=spf1 record at the apex. A TXT record set can hold several values, but your SPF policy must be one record, not split across two.

DKIM (the easy one)

Name:      selector._domainkey
Type:      TXT
TTL:       1  (unit: Hours)
Value:     v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG... (paste the whole key)

Paste the entire public key as a single string. From the portal, PowerShell, or the CLI, Azure automatically divides it into the 255-character segments DNS requires, so you never split it by hand. (Only the REST API expects pre-split strings, which matters for infrastructure-as-code, not for the portal.) A record set can total 4096 characters, plenty for any key.

MTA-STS pointer

Name:      _mta-sts
Type:      TXT
TTL:       1  (unit: Hours)
Value:     v=STSv1; id=20260623000000

Pointer only. The policy file is served over HTTPS at mta-sts.yourdomain.com, which trustyourinbox can host. TLS-RPT (_smtp._tls) follows the same shape. Choose Add to save.

Azure quirks that bite

• Delegation without the trailing dot. When you point your registrar at the four Azure nameservers, copy each address exactly, including the trailing .. Some registrars add it for you; some do not, and a missing dot breaks delegation.
• Editing the wrong zone instance. The same zone name can exist in more than one resource group or subscription, each with different nameservers. Edit the instance your domain is actually delegated to.
• Splitting SPF across the record set. A TXT set holds multiple values, but SPF and DMARC each want exactly one record at their name.

The role you need

To manage records you need the DNS Zone Contributor built-in role on the zone (for public zones, this is the narrow, correct choice; Private DNS Zone Contributor is a separate role for private zones). It is scoped to DNS only, so it is a better fit than the broad Contributor role.

Step 3: Verify it published

dig +short TXT _dmarc.yourdomain.com
dig +short TXT yourdomain.com | grep spf1
dig +short TXT selector._domainkey.yourdomain.com

Or paste the hostname into dns.google with type TXT. The record is live the moment the lookup returns it; other resolvers catch up as the old TTL expires.

Tell trustyourinbox to recheck

Each per-domain protocol tab has a Recheck button next to the current record. Click it once the Azure change resolves and we re-run the lookup and refresh the dashboard.