Microsoft supports and encourages DMARC for Office 365 users which allows them to adopt email authentication protocols unanimously across all their registered domains. In this blog we explain the processes to configure DMARC for Office 365 to validate any Office 365 emails that have:
- Online Email Routing Addresses with Microsoft
- Custom domains added in the admin center
- Parked or inactive, but registered domains
In Q2 of 2023, Microsoft was dubbed the most impersonated brand in phishing scams by various sources. Protocols like DMARC are imperative to amp up your defense mechanism.
Key Takeaways
- DMARC is essential for enhancing email security against domain spoofing and phishing.
- Setting up DMARC requires existing SPF or DKIM records for email authentication.
- Microsoft 365 handles inbound DMARC failures differently; use Transport Rules for strict enforcement (quarantine/reject).
- Gradually increase DMARC policy strictness (none to reject) while monitoring reports to avoid blocking legitimate mail.
- Configure DMARC even for inactive domains to prevent their unauthorized use.
Let’s find out how to DMARC in Office 365 helps prevent sophisticated email threats.
How to Configure DMARC for Office 365
DMARC or Domain-based Message Authentication, Reporting, and Conformance exists as a TXT record in your domain’s DNS. DMARC acts as a primary defense against email-borne threats originating from your own domain. Before you configure DMARC, your domain must contain records for either SPF or DKIM or better still, both, for advanced protection.
If you are using a custom domain, given below are the steps to create your DMARC record. Note that it is not mandatory to configure both SPF and DKIM to implement DMARC. It is however recommended to add an additional layer of protection.
Simplify DMARC for Office 365 with PowerDMARC!
Things to Consider Before Getting Started
According to Microsoft’s documents:
- If you use MOERA (Microsoft Online Email Routing Address) which should end with onmicrosoft.com, SPF and DKIM will already be configured for it. However, you will need to create your DMARC records using the Microsoft 365 admin center.
- If you use a custom domain(s) like example.com, you will need to manually configure SPF, DKIM, and DMARC for your domain.
- For your parked domains (inactive domains), Microsoft recommends that you make sure you are explicitly specifying that no emails should be sent from them. Else, these domains may be used in spoofing and phishing attacks.
- For forwarded or modified messages in transit, it is essential that you set up ARC. This helps preserve your original email authentication headers despite modifications, for accurate authentication.
Step 1: Identify valid email sources for your domain
These would be source IP addresses (including third parties) that you want to allow to send emails on your behalf.
Step 2: Set up SPF for your domain
Now you need to configure SPF for sender verification. To do so, create an SPF TXT record that would include all your valid sending sources including external email vendors. You can sign up on PowerDMARC for free and use our SPF record generator tool to create your record.
Step 3: Set up DKIM for Office 365 on your domain
You will need either SPF or DKIM configured for your domain for you to enable DMARC Office 365. We recommend that you set up DKIM and DMARC on Office 365 for an additional layer of security to your domain’s emails. You can sign up on PowerDMARC for free and use our DKIM record generator tool to create your record.
Step 4: Create a DMARC TXT record
You can use PowerDMARC’s free DMARC record generator for this step. Generate a record instantly with the correct syntax to publish in your DNS and configure DMARC for your domain!
Note that only an enforcement policy of reject can effectively prevent impersonation attacks. We recommend that you start with a none policy and regularly monitor your email traffic. Do this for some time before finally shifting to enforcement. DMARC reject is not to be taken lightly as it may lead to the loss of legitimate emails if sending sources are not properly configured or monitored.
For your DMARC record, define your policy mode (none/quarantine/reject), and an email address in the “rua” field if you wish to receive DMARC aggregate reports.
DMARC Policy | Policy Type | Syntax | Action |
---|---|---|---|
none | relaxed/no-action/permissive | p=none; | Take no action against messages that fail authentication, i.e. deliver them. |
quarantine | enforced | p=quarantine; | Quarantine messages that fail DMARC |
reject | enforced | p=reject; | Discard messages that fail DMARC |
Your DMARC record syntax may look like this:
v=DMARC1; p=reject; rua=mailto:[email protected];
This record has an enforced policy of “reject” and has DMARC aggregate reporting enabled for the domain.
Steps to Add Office 365 DMARC Record Using Microsoft Admin Center
To add your DMARC Office 365 record for MOERA domains (*onmicrosoft.com domains), these are the steps:
1. Login to your Microsoft admin center
2. Go to Show all > Settings > Domains
3. Select your *onmicrosoft.com domain from the domains list on the Domains page to open the Domain details page
4. Click on the DNS records tab on this page and select + Add record
5. A text box will appear to add a new DMARC record, with various fields. Given below are the values you should fill in for the specific fields:
Type: TXT
Name: _dmarc
TTL: 1 hour
Value: (paste the value of the DMARC record you created)
6. Click on Save
Adding Office 365 DMARC Record for Your Custom Domain
If you have a custom domain like example.com, we have covered a detailed guide on how to setup DMARC. You can follow the steps in our guide to easily configure the protocol. Microsoft makes a few valuable recommendations while configuring DMARC for custom domains. We agree with these tips and suggest them to our clients as well! Let’s explore what they are:
- When configuring DMARC, start with a none policy
- Slowly transition to quarantine and then reject
- You may also keep a low percentage (pct) value for policy impact by starting at 10 and slowly increasing it to 100
- Make sure you have DMARC reporting enabled to monitor your email channels regularly
Adding A DMARC Office 365 Record for Inactive Domains
We have covered a detailed guide on securing your inactive/parked domains with SPF, DKIM, and DMARC. You can go through the detailed steps there, but for a quick overview, even your inactive domains need to have DMARC configured.
Simply publish a DMARC record by accessing your DNS management console for the inactive domain. If you don’t have access to your DNS, contact your DNS provider today. This record can be configured to reject all messages originating from inactive domains that fail DMARC:
v=DMARC1; p=reject;
Configure DMARC for Office 365 the right way with PowerDMARC!
Why Configure DMARC For Office 365?
Office 365 comes with anti-spam solutions and email security gateways already integrated into its security suite. So why would you require a DMARC policy in Office 365 for authentication? This is because these solutions primarily protect against inbound phishing emails sent to your domain. DMARC authentication protocol is your outbound phishing prevention solution. It allows domain owners to specify to receiving mail servers how to respond to emails sent from your domain that fail authentication. DMARC also reduces the risk of legitimate messages landing in the spam folder. It is crucial to note that DMARC primarily protects against direct-domain spoofing (using your exact domain name) and doesn’t inherently protect against lookalike domain spoofing (using visually similar domain names).
DMARC makes use of two standard authentication practices, namely SPF and DKIM. These validate emails for authenticity. Your Office 365 DMARC policy at enforcement can offer enhanced protection against impersonation attacks and spoofing.
Setting up DMARC for business emails is more important than ever in the current scenario because:
- Federal agencies have issued warnings against hackers exploiting absent or weak DMARC policies
- DMARC compliance is mandatory for Yahoo and Google bulk senders
- The FBI’s IC3 report singles out the US as the most affected country in phishing attacks
- IBM reports that one in every five companies are affected by data breaches due to lost or stolen credentials
Do You Really Need DMARC While Using Office 365?
There’s a common misconception among businesses: they feel that Office 365 ensures safety from spam and fraudulent emails. However, in May 2020, a series of phishing attacks were conducted on several Middle Eastern insurance firms. Attackers used Office 365, causing significant data loss and security breaches. So here’s what we learned from this:
Reason 1: Microsoft’s security solution isn’t foolproof
This is why simply relying on Microsoft’s integrated security solutions is not enough. External efforts must be made to protect your domain can be a huge mistake.
Reason 2: You need to configure DMARC for Office 365 for protection against outbound attacks
While Office 365’s integrated security solutions can offer protection against inbound email threats and phishing attempts, you still need to ensure that outbound messages sent from your own domain are authenticated effectively before landing in the inboxes of your customers and partners. This is where DMARC for Office 365 steps in.
Reason 3: DMARC will help you monitor your email channels
DMARC not only protects your domain against direct domain spoofing and phishing attacks. It also helps you monitor your email channels. Whether you are on an enforced policy like “reject/quarantine”, or on a more lenient policy like “none”, you can track your authentication results with DMARC reports. These reports are sent either to your email address or to a DMARC report analyzer tool. Monitoring ensures your legitimate emails are successfully delivered.
How Does DMARC Work in Office 365?
To implement DMARC in Office 365, domain owners need to publish DMARC records in their DNS settings. This record tells receiving mail servers how to handle emails claiming to be from your domain that fail SPF or DKIM checks, according to your specified policy (none, quarantine, or reject). They can configure their spoofed Office 365 emails to be rejected by receiving servers by setting the policy to `p=reject`.
Office 365 admins can manage DMARC settings through the Exchange admin center or PowerShell commands.
You can also implement DMARC in Office 365 to request aggregate (RUA) and forensic (RUF) reports about how your domain’s email is being handled by third parties and how it is performing against authentication checks.
How Microsoft 365 Handles Inbound Emails Failing DMARC
A crucial point to understand is how Microsoft 365 handles inbound emails that fail the DMARC check specified by the *sender’s* DMARC policy. By default, Microsoft 365 inbound emails failing DMARC do not get automatically rejected, even if the sender’s DMARC policy is set to “p=reject”.
Microsoft 365 takes this approach primarily to avoid blocking legitimate emails (false positives). This can happen due to:
- Email forwarding scenarios or mailing lists which can break SPF and DKIM alignment.
- Configuration problems or incomplete rollouts on the sender’s side.
Instead of rejecting, Microsoft 365 email security typically marks these messages as spam. While this prevents potential loss of legitimate mail, it also means that malicious emails spoofing a domain with a p=reject policy might still reach a user’s Junk Email folder instead of being blocked outright. Users might also inadvertently bypass this by adding senders to a “safe sender” list.
Using Transport Rules to Enforce DMARC for Inbound Mail
To gain stricter control over inbound emails failing DMARC checks, you can create Exchange Mail Flow Rules (Transport Rules) in the Exchange Online admin center. These rules allow you to define specific actions based on DMARC failure, overriding the default behavior. You can target these rules based on whether the sender is internal or external.
Here’s a general process to create a transport rule for DMARC enforcement:
- Log in to your Exchange Online admin center.
- Navigate to Mail flow > Rules.
- Click + Add a rule and select Create a new rule.
- Give your rule a name (e.g., “DMARC Fail – Quarantine Internal Spoofing”, “DMARC Fail – Reject External”).
- Under “Apply this rule if…“, select “The message headers…” then “includes any of these words“.
- Click “Enter text…” and specify the header name: Authentication-Results
- Click “Enter words…” and add the phrase: dmarc=fail
- Optionally, add another condition to specify the sender’s location:
- To target spoofing of your own domain(s): Add condition “The sender…” > “domain is…” and enter your internal domain(s). Set “Match sender address in message” to “Header”.
- To target external domains failing DMARC: Add condition “The sender…” > “is external/internal” > “Outside the organization“.
- Under “Do the following…“, select the desired action:
- Quarantine: Select “Modify the message properties…” > “set the spam confidence level (SCL)” to 9 (or use “Deliver the message to the hosted quarantine” depending on your setup). Often used for suspected internal spoofing.
- Prepend Disclaimer: Select “Apply a disclaimer to the message…” > “prepend a disclaimer“. Add warning text (e.g., “CAUTION: This email failed DMARC authentication and may be fraudulent.”). Useful for external domain failures where you want to warn users but not block potentially misconfigured legitimate mail.
- Reject: Select “Block the message…” > “reject the message and include an explanation” or “delete the message without notifying anyone“. This is the strictest option.
- Configure exceptions if needed (e.g., specific sender IPs or domains that should bypass the rule).
- Review settings and click Save. Activate the rule.
Note: Before enforcing rules that quarantine or reject mail, it is highly recommended to test them thoroughly, perhaps initially in “Test without Policy Tips” mode or on a limited group of users. Ensure your own authorized senders are passing DMARC checks correctly to avoid unintended blocking of legitimate emails.
What Happens if the DMARC Policy is Not Enabled in Office 365?
If you don’t publish a DMARC record for your Office 365 domain, or if you publish one with a policy of `p=none` without monitoring, you are at significant risk of having your domain spoofed.
DMARC is designed to help protect your domain from being spoofed by email senders who want to gain access to your email systems and use them for fraud or phishing.
Without a DMARC record, receiving mail servers have no instruction from you on how to verify emails claiming to be from your domain or what to do if they fail checks. If you have a `p=none` policy, failing emails will still be delivered, offering no protection against spoofing (though reporting can still provide visibility). It means that anyone can attempt to send emails on behalf of your domain, even if they don’t have permission to do so. It also makes it harder for recipients to determine if a message genuinely came from an authorized source associated with your domain.
As a domain owner, you always need to look out for threat actors launching domain spoofing attacks and phishing attacks to use your domain or brand name to carry out malicious activities. No matter what email exchange solution you use, protecting your domain from spoofing and impersonation is imperative to ensure brand credibility and maintain trust among your esteemed customer base.
Why Use PowerDMARC with Office 365?
Microsoft Office 365 provides users with a host of cloud-based services and solutions along with integrated anti-spam filters. However, despite the various advantages, these are the drawbacks you might face while using it from a security perspective:
- No solution for validating outbound messages sent from your domain (Requires manual SPF/DKIM/DMARC setup)
- No built-in user-friendly reporting mechanism for emails failing authentication checks (Raw XML reports need parsing)
- Limited visibility into your overall email ecosystem and authentication posture
- No centralized dashboard to manage and monitor your DMARC deployment across multiple domains
- No automated mechanism to ensure your SPF record stays under the 10-lookup limit (Requires manual management or tools like SPF Flattening)
DMARC Reporting and Monitoring with PowerDMARC
PowerDMARC seamlessly integrates with Office 365 to empower domain owners with advanced authentication solutions that protect against sophisticated social engineering attacks like BEC and direct-domain spoofing.
When you sign up with PowerDMARC you are signing up for a multi-tenant SaaS platform that not only assembles all email authentication best practices (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and BIMI) but also provides an extensive and in-depth dmarc reporting mechanism, that offers complete visibility into your email ecosystem. DMARC reports on the PowerDMARC dashboard are generated in two formats:
- Aggregate Reports (RUA)
- Forensic reports (RUF – if enabled and supported by reporter)
We have strived to make the authentication experience better for you by solving various industry problems. We ensure the encryption of your DMARC forensic reports as well as display aggregate reports in 7 different views for enhanced user experience and clarity.
PowerDMARC helps you monitor email flow and authentication failures, and blacklist malicious IP addresses from all over the world. Our DMARC analyzer aids you in configuring DMARC correctly for your domain and shifting from monitoring to enforcement in no time. This can help you enable DMARC office 365 without worrying about the complexities involved.
DMARC for Office 365 FAQs
Content Review and Fact-Checking Process
The information on the Office 365 DMARC setup process has been primarily sourced from official Microsoft documentation and practical experience. This documentation may be updated by Microsoft. The recommendations mentioned in the article, including the use of transport rules and gradual policy rollout, are based on industry best practices and real-world client experiences.
“`
- DMARCbis Explained – What’s Changing and How to Prepare - May 19, 2025
- What is BIMI? Your Complete Guide to BIMI Logo Requirements & Setup - April 21, 2025
- Bulk Email Sender Rules for Google, Yahoo, Microsoft, and Apple iCloud Mail - April 14, 2025