Configure SPF

SPF uses DNS to tell other mailservers which servers are authorized to send emails for your domain name. See https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide for details re configuring SPF with Office 365

Configure DKIM

DKIM uses DNS to tell other mailservers how to authenticate that email was actually sent from a valid email server for your domain name. See https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide for details re configuring DKIM with Office 365

Configure DKIM - 

https://security.microsoft.com/dkimv2

Add keys - 

Selector1._domainkey

selector2._domainkey

Wait about an hour and set the domain as the default signing domain. 

Have the customer send test email - https://www.appmaildev.com/

Verify and validate the DKIM, are they sending on their own domain or onmicrosoft?

• Enable DKIM - https://www.undocumented-features.com/2019/08/13/exchange-online-protection-eop-best-practices-and-recommendations/#Enable_DKIM_for_each_custom_domain_in_your_tenant

Configure DMARC

DMARC leverages SPF and DKIM (above) to tell other organizations how you’d prefer they deal with email they receive which doesn’t match your SPF/DKIM configuration (above). This is a complex topic (see DMARC Report support docs for details), but a good starting point is Microsoft’s documentation, at https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide