How to Setup DMARC for Office 365: A Step-by-Step Guide
by
Reading Time: 10 min
Microsoft supports and encourages DMARC for Office 365 users which allows them to adopt email authentication protocols unanimously across all their registered domains. In this blog we explain the processes to set up DMARC for Office 365 to validate any Office 365 emails that have:
- Online Email Routing Addresses with Microsoft
- Custom domains added in the admin center
- Parked or inactive, but registered domains
In Q2 of 2023, Microsoft was dubbed the most impersonated brand in phishing scams by various sources. Protocols like DMARC are imperative to amp up your defense mechanism.
Let’s find out how to set up DMARC in Office 365 to prevent sophisticated email threats.
How to Set Up DMARC for Office 365
DMARC or Domain-based Message Authentication, Reporting, and Conformance exists as a TXT record in your domain’s DNS. DMARC acts as a primary defense against email-borne threats originating from your own domain. Before you configure DMARC, your domain must contain records for either SPF or DKIM or better still, both, for advanced protection.
If you are using a custom domain, given below are the steps to create your DMARC record. Note that it is not mandatory to configure both SPF and DKIM to set up DMARC. It is however recommended to add an additional layer of protection.
Things to Consider Before Getting Started
According to Microsoft’s documents:
- If you use MOERA (Microsoft Online Email Routing Address) which should end with onmicrosoft.com, SPF and DKIM will already be configured for it. However, you will need to create your DMARC records using the Microsoft 365 admin center.
- If you use a custom domain(s) like example.com, you will need to manually configure SPF, DKIM, and DMARC for your domain.
- For your parked domains (inactive domains), Microsoft recommends that you make sure you are explicitly specifying that no emails should be sent from them. Else, these domains may be used in spoofing and phishing attacks.
- For forwarded or modified messages in transit, it is essential that you set up ARC. This helps preserve your original email authentication headers despite modifications, for accurate authentication.
Step 1: Identify valid email sources for your domain
These would be source IP addresses (including third parties) that you want to allow to send emails on your behalf.
Step 2: Set up SPF for your domain
Now you need to configure SPF for sender verification. To do so, create an SPF TXT record that would include all your valid sending sources including external email vendors. You can sign up on PowerDMARC for free and use our SPF record generator tool to create your record.
Step 3: Set up DKIM for Office 365 on your domain
You will need either SPF or DKIM configured for your domain for you to enable DMARC Office 365. We recommend that you set up DKIM and DMARC on Office 365 for an additional layer of security to your domain’s emails. You can sign up on PowerDMARC for free and use our DKIM record generator tool to create your record.
Step 4: Create a DMARC TXT record
You can use PowerDMARC’s free DMARC record generator for this step. Generate a record instantly with the correct syntax to publish in your DNS and configure DMARC for your domain!
Note that only an enforcement policy of reject can effectively prevent impersonation attacks. We recommend that you start with a none policy and regularly monitor your email traffic. Do this for some time before finally shifting to enforcement.
For your DMARC record, define your policy mode (none/quarantine/reject), and an email address in the “rua” field if you wish to receive DMARC reports.
| DMARC Policy | Policy Type | Syntax | Action |
|---|---|---|---|
| none | relaxed/no-action/permissive | p=none; | Take no action against messages that fail authentication, i.e. deliver them. |
| quarantine | enforced | p=quarantine; | Quarantine messages that fail DMARC |
| reject | enforced | p=reject; | Discard messages that fail DMARC |
Your DMARC record syntax may look like this:
v=DMARC1; p=reject; rua=mailto:[email protected];
This record has an enforced policy of “reject” and has DMARC aggregate reporting enabled for the domain.
Steps to Add Office 365 DMARC Record Using Microsoft Admin Center
To add your DMARC Office 365 record for MOERA domains (*onmicrosoft.com domains), these are the steps:
1. Login to your Microsoft admin center
2. Go to Show all > Settings > Domains
3. Select your *onmicrosoft.com domain from the domains list on the Domains page to open the Domain details page
4. Click on the DNS records tab on this page and select + Add record
5. A text box will appear to add a new DMARC record, with various fields. Given below are the values you should fill in for the specific fields:
Type: TXT
Name: _dmarc
TTL: 1 hour
Value: (paste the value of the DMARC record you created)
6. Click on Save
Adding Office 365 DMARC Record for Your Custom Domain
If you have a custom domain like example.com, we have covered a detailed guide on how to setup DMARC. You can follow the steps in our guide to easily configure the protocol. Microsoft makes a few valuable recommendations while configuring DMARC for custom domains. We agree with these tips and suggest them to our clients as well! Let’s explore what they are:
- When configuring DMARC, start with a none policy
- Slowly transition to quarantine and then reject
- You may also keep a low percentage (pct) value for policy impact by starting at 10 and slowly increasing it to 100
- Make sure you have DMARC reporting enabled to monitor your email channels regularly
Adding A DMARC Office 365 Record for Inactive Domains
We have covered a detailed guide on securing your inactive/parked domains with SPF, DKIM, and DMARC. You can go through the detailed steps there, but for a quick overview, even your inactive domains need to have DMARC configured.
Simply publish a DMARC record by accessing your DNS management console for the inactive domain. If you don’t have access to your DNS, contact your DNS provider today. This record can be configured to reject all messages originating from inactive domains that fail DMARC:
v=DMARC1; p=reject;
Setup DMARC for Office 365 the right way with PowerDMARC!
Why Set Up DMARC For Office 365?
Office 365 comes with anti-spam solutions and email security gateways already integrated into its security suite. So why would you require a DMARC policy in Office 365 for authentication? This is because these solutions only protect against inbound phishing emails sent to your domain. DMARC authentication protocol is your outbound phishing prevention solution. It allows domain owners to specify to receiving mail servers how to respond to emails sent from your domain that fail authentication. DMARC also reduces the risk of legitimate messages landing in the spam folder.
DMARC makes use of two standard authentication practices, namely SPF and DKIM. These validate emails for authenticity. Your Office 365 DMARC policy at enforcement can offer enhanced protection against impersonation attacks and spoofing.
Setting up DMARC for business emails is more important than ever in the current scenario because:
- Federal agencies have issued warnings against hackers exploiting absent or weak DMARC policies
- DMARC compliance is mandatory for Yahoo and Google bulk senders
- The FBI’s IC3 report singles out the US as the most affected country in phishing attacks
- IBM reports that one in every five companies are affected by data breaches due to lost or stolen credentials
Do You Really Need DMARC While Using Office 365?
There’s a common misconception among businesses: they feel that Office 365 ensures safety from spam and fraudulent emails. However, in May 2020, a series of phishing attacks were conducted on several Middle Eastern insurance firms. Attackers used Office 365, causing significant data loss and security breaches. So here’s what we learned from this:
Reason 1: Microsoft’s security solution isn’t foolproof
This is why simply relying on Microsoft’s integrated security solutions is not enough. External efforts must be made to protect your domain can be a huge mistake.
Reason 2: You need to set up DMARC for Office 365 for protection against outbound attacks
While Office 365’s integrated security solutions can offer protection against inbound email threats and phishing attempts, you still need to ensure that outbound messages sent from your own domain are authenticated effectively before landing in the inboxes of your customers and partners. This is where DMARC for Office 365 steps in.
Reason 3: DMARC will help you monitor your email channels
DMARC not only protects your domain against direct domain spoofing and phishing attacks. It also helps you monitor your email channels. Whether you are on an enforced policy like “reject/quarantine”, or on a more lenient policy like “none”, you can track your authentication results with DMARC reports. These reports are sent either to your email address or to a DMARC report analyzer tool. Monitoring ensures your legitimate emails are successfully delivered.
How Does DMARC Work in Office 365?
To implement DMARC in Office 365, domain owners need to publish DMARC records in their DNS settings. They can specify their preferred policy (none, quarantine, or reject). They can even configure their spoofed Office 365 emails to be rejected by receiving servers.
Office 365 admins can manage DMARC settings through the Exchange admin center or PowerShell commands.
You can also set up DMARC in Office 365 to request reports about how your domain’s email is being handled by third parties.
What Happens if the DMARC Policy is Not Enabled in Office 365?
If you don’t enable DMARC for Office 365, you are at risk of having your domain spoofed.
DMARC is designed to help protect your domain from being spoofed by email senders who want to gain access to your email systems and use them for fraud or phishing.
Without a policy defined, your record is as good as inactive. If you don’t enable a DMARC policy for Office 365 emails, it means that anyone can send emails on behalf of your domain, even if they don’t have permission to do so. It also makes it impossible for you to determine who sent the message and whether or not it came from an authorized source.
As a domain owner, you always need to look out for threat actors launching domain spoofing attacks and phishing attacks to use your domain or brand name to carry out malicious activities. No matter what email exchange solution you use, protecting your domain from spoofing and impersonation is imperative to ensure brand credibility and maintain trust among your esteemed customer base.
5 Reasons Why You Need PowerDMARC While Using Microsoft Office 365
Microsoft Office 365 provides users with a host of cloud-based services and solutions along with integrated anti-spam filters. However, despite the various advantages, these are the drawbacks you might face while using it from a security perspective:
- No solution for validating outbound messages sent from your domain
- No reporting mechanism for emails failing authentication checks
- No visibility into your email ecosystem
- No dashboard to manage and monitor your inbound mail and outbound email flow
- No mechanism to ensure your SPF record is always under the 10-lookup limit
DMARC Reporting and Monitoring with PowerDMARC
PowerDMARC seamlessly integrates with Office 365 to empower domain owners with advanced authentication solutions that protect against sophisticated social engineering attacks like BEC and direct-domain spoofing.
When you sign up with PowerDMARC you are signing up for a multi-tenant SaaS platform that not only assembles all email authentication best practices (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and BIMI) but also provides an extensive and in-depth dmarc reporting mechanism, that offers complete visibility into your email ecosystem. DMARC reports on the PowerDMARC dashboard are generated in two formats:
- Aggregate Reports
- Forensic reports
We have strived to make the authentication experience better for you by solving various industry problems. We ensure the encryption of your DMARC forensic reports as well as display aggregate reports in 7 different views for enhanced user experience and clarity.
PowerDMARC helps you monitor email flow and authentication failures, and blacklist malicious IP addresses from all over the world. Our DMARC analyzer aids you in configuring DMARC correctly for your domain and shifting from monitoring to enforcement in no time. This can help you enable DMARC office 365 without worrying about the complexities involved.
DMARC for Office 365 FAQs
Content Review and Fact-Checking Process
The information on the Office 365 DMARC setup process has been taken from official Microsoft documentation. The document may be updated in the future depending on changes made by developers on the Microsoft portal. The recommendations mentioned in the article are based on what has worked for our clients in real time and may help you too.
Domain & Email Security Expert at PowerDMARC
Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.
Latest posts by Yunes Tarada (see all)
- BreakSPF Attacks: Outsmart the Hackers and Protect Your Email - November 13, 2024
- PowerDMARC Integrates with ConnectWise - October 31, 2024
- What is Datagram Transport Layer Security (DTLS): Benefits & Challenges - October 29, 2024
