SPF uses DNS to tell other mailservers which servers are authorized to send emails for your domain name. See https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide for details re configuring SPF with Office 365
DKIM uses DNS to tell other mailservers how to authenticate that email was actually sent from a valid email server for your domain name. See https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide for details re configuring DKIM with Office 365
Configure DKIM -
Add keys -
Wait about an hour and set the domain as the default signing domain.
Have the customer send test email - https://www.appmaildev.com/
Verify and validate the DKIM, are they sending on their own domain or onmicrosoft?
DMARC leverages SPF and DKIM (above) to tell other organizations how you’d prefer they deal with email they receive which doesn’t match your SPF/DKIM configuration (above). This is a complex topic (see DMARC Report support docs for details), but a good starting point is Microsoft’s documentation, at https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide