DMARC for Office 365: Step-by-Step Setup & Best Practices

Blog

Set up DMARC for Office 365 to stop spoofing and protect your domain. Follow our step-by-step guide and secure your email today.

by Yunes Tarada

Reading Time: 11 min
DMARC for Office 365: Step-by-Step Setup & Best Practices
Table Of Contents

Key Takeaways

  1. DMARC is essential for enhancing email security against domain spoofing and phishing.
  2. Setting up DMARC requires existing SPF or DKIM records for email authentication.
  3. Microsoft 365 handles inbound DMARC failures differently; use Transport Rules for strict enforcement (quarantine/reject).
  4. Gradually increase DMARC policy strictness (none to reject) while monitoring reports to avoid blocking legitimate mail.
  5. Configure DMARC even for inactive domains to prevent their unauthorized use.

Microsoft supports and encourages DMARC for Office 365 users which allows them to adopt email authentication protocols unanimously across all their registered domains. In this blog we explain the processes to configure DMARC for Office 365 to validate any Office 365 emails that have: 

  1. Online Email Routing Addresses with Microsoft 
  2. Custom domains added in the admin center
  3. Parked or inactive, but registered domains 

In Q2 of 2023, Microsoft was dubbed the most impersonated brand in phishing scams by various sources. Protocols like DMARC are imperative to amp up your defense mechanism.

Let’s find out how to DMARC in Office 365 helps prevent sophisticated email threats.

What is DMARC?

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol designed to protect your domain from email spoofing and phishing attacks. It builds on two existing standards: 

  • SPF (Sender Policy Framework)
  • DKIM (DomainKeys Identified Mail)

These give domain owners greater control over how unauthenticated emails claiming to come from their domain are handled by receiving mail servers. 

When you implement DMARC for Office 365, you publish a DMARC policy as a DNS TXT record associated with your domain. This policy instructs email receivers whether to accept, quarantine, or reject messages that fail SPF and DKIM checks, significantly reducing the chances of malicious actors successfully impersonating your domain.

DMARC also provides valuable visibility through reporting mechanisms, enabling domain owners to receive detailed feedback about email authentication results. These reports help identify unauthorized email sources and improve overall email security posture.

Simplify DMARC for Office 365 with PowerDMARC!

Start 15-day trial Book a demo

Things to Consider Before Getting Started

According to Microsoft’s documents

  • If you use MOERA (Microsoft Online Email Routing Address) which should end with onmicrosoft.com, SPF and DKIM will already be configured for it. However, you will need to create your DMARC records using the Microsoft 365 admin center. 
  • If you use a custom domain(s) like example.com, you will need to manually configure SPF, DKIM, and DMARC for your domain. 
  • For your parked domains (inactive domains), Microsoft recommends that you make sure you are explicitly specifying that no emails should be sent from them. Else, these domains may be used in spoofing and phishing attacks.
  • For forwarded or modified messages in transit, it is essential that you set up ARC. This helps preserve your original email authentication headers despite modifications, for accurate authentication.

How to Configure DMARC for Office 365

Follow these step-by-step instructions to configure DMARC for Office 365 with confidence and clarity:

Step 1: Identify valid email sources for your domain

These would be source IP addresses (including third parties) that you want to allow to send emails on your behalf. 

Step 2: Set up SPF for your domain

Now you need to configure SPF for sender verification. To do so, create an SPF TXT record that would include all your valid sending sources including external email vendors. You can sign up on PowerDMARC for free and use our SPF record generator tool to create your record.

Step 3: Set up DKIM for Office 365 on your domain

You will need either SPF or DKIM configured for your domain for you to enable DMARC Office 365. We recommend that you set up DKIM and DMARC on Office 365 for an additional layer of security to your domain’s emails. You can sign up on PowerDMARC for free and use our DKIM record generator tool to create your record.  

Step 4: Create a DMARC TXT record

You can use PowerDMARC’s free DMARC record generator for this step. Generate a record instantly with the correct syntax to publish in your DNS and configure DMARC for your domain!

Note that only an enforcement policy of reject can effectively prevent impersonation attacks. We recommend that you start with a none policy and regularly monitor your email traffic. Do this for some time before finally shifting to enforcement. DMARC reject is not to be taken lightly as it may lead to the loss of legitimate emails if sending sources are not properly configured or monitored.

For your DMARC record, define your policy mode (none/quarantine/reject), and an email address in the “rua” field if you wish to receive DMARC aggregate reports.

DMARC PolicyPolicy TypeSyntaxAction
nonerelaxed/no-action/permissivep=none;Take no action against messages that fail authentication, i.e. deliver them.
quarantineenforcedp=quarantine;Quarantine messages that fail DMARC
rejectenforcedp=reject;Discard messages that fail DMARC

Your DMARC record syntax may look like this: 

v=DMARC1; p=reject; rua=mailto:[email protected];

This record has an enforced policy of “reject” and has DMARC aggregate reporting enabled for the domain. 

How to Add Office 365 DMARC Record Using Microsoft Admin Center

To add your DMARC Office 365 record for MOERA domains (*onmicrosoft.com domains), these are the steps: 

1. Login to your Microsoft admin center 

2. Go to Show all > Settings > Domains

3. Select your *onmicrosoft.com domain from the domains list on the Domains page to open the Domain details page

4. Click on the DNS records tab on this page and select + Add record 

5. A text box will appear to add a new DMARC record, with various fields. Given below are the values you should fill in for the specific fields: 

Type: TXT

Name: _dmarc

TTL: 1 hour 

Value: (paste the value of the DMARC record you created) 

6. Click on Save 

Adding Office 365 DMARC Record for Your Custom Domain

If you have a custom domain like example.com, we have covered a detailed guide on how to setup DMARC. You can follow the steps in our guide to easily configure the protocol. Microsoft makes a few valuable recommendations while configuring DMARC for custom domains. We agree with these tips and suggest them to our clients as well! Let’s explore what they are: 

  • When configuring DMARC, start with a none policy 
  • Slowly transition to quarantine and then reject 
  • You may also keep a low percentage (pct) value for policy impact by starting at 10 and slowly increasing it to 100
  • Make sure you have DMARC reporting enabled to monitor your email channels regularly 

Adding A DMARC Office 365 Record for Inactive Domains

We hav e covered a detailed guide on securing your inactive/parked domains with SPF, DKIM, and DMARC. You can go through the detailed steps there, but for a quick overview, even your inactive domains need to have DMARC configured. 

Simply publish a DMARC record by accessing your DNS management console for the inactive domain. If you don’t have access to your DNS, contact your DNS provider today. This record can be configured to reject all messages originating from inactive domains that fail DMARC: 

v=DMARC1; p=reject;

Configure DMARC for Office 365 the right way with PowerDMARC!

Start 15-day trial Book a demo

Why Configure DMARC For Office 365? 

Office 365 comes with anti-spam solutions and email security gateways already integrated into its security suite. So why would you require a DMARC policy in Office 365 for authentication? This is because these solutions primarily protect against inbound phishing emails sent to your domain. DMARC authentication protocol is your outbound phishing prevention solution. It allows domain owners to specify to receiving mail servers how to respond to emails sent from your domain that fail authentication. DMARC also reduces the risk of legitimate messages landing in the spam folder. It is crucial to note that DMARC primarily protects against direct-domain spoofing (using your exact domain name) and doesn’t inherently protect against lookalike domain spoofing (using visually similar domain names).

DMARC makes use of two standard authentication practices, namely SPF and DKIM. These validate emails for authenticity. Your Office 365 DMARC policy at enforcement can offer enhanced protection against impersonation attacks and spoofing.

Setting up DMARC for business emails is more important than ever in the current scenario because: 

  1. Federal agencies have issued warnings against hackers exploiting absent or weak DMARC policies
  2. DMARC compliance is mandatory for Yahoo and Google bulk senders 
  3. IBM reports that the average cost of a breach when attackers use compromised credentials is $4.8M

A real-world example of DMARC’s impact comes from HCIT, a managed service provider (MSP) that faced growing challenges with phishing and email spoofing targeting their clients. By implementing DMARC with PowerDMARC, HCIT successfully protected multiple domains, reduced impersonation risks, and improved email deliverability, demonstrating how the right solution can safeguard businesses and their customers from costly attacks.

Common Pitfalls and How to Avoid Them

While setting up DMARC for Office 365 significantly strengthens your domain’s email security, missteps in configuration can undermine its effectiveness. Here are some of the most common pitfalls businesses face and how you can proactively avoid them:

Forgetting Subdomain Policies

DMARC policies applied at the root domain (e.g., website.com) don’t automatically extend to subdomains like mail.website.com or news.website.com unless you explicitly specify it using the sp tag in your DMARC record.

This oversight creates a loophole that attackers love to exploit. Cybercriminals often target unprotected subdomains to send spoofed emails, bypassing your primary domain’s DMARC enforcement.

Solution: Add sp=reject; (or quarantine) to your DMARC policy to extend protection to all subdomains. Regularly audit your subdomains and apply strict policies to domains that shouldn’t send email at all.

Misconfigured SPF/DKIM Breaking DMARC

DMARC works only if SPF or DKIM checks pass and are properly aligned with the domain in the “From” header. It’s not enough for these protocols to simply exist. They must authenticate on behalf of the exact domain being used to send mail.

A few common issues:

  • SPF includes a third-party sender’s IP, but their envelope-from domain doesn’t align
  • DKIM is signing with a different domain than what appears in the “From” address
  • Records are syntactically incorrect or incomplete in your DNS

Solution: Use domain-specific tools to test SPF, DKIM, and DMARC configurations. Always check alignment—not just pass/fail status. Tools like PowerDMARC’s analyzer help visualize and validate proper setup, minimizing risks tied to broken authentication.

Third-Party Senders Failing Alignment

Services like Mailchimp, SendGrid, or Salesforce may support SPF and DKIM, but if they’re not correctly configured to align with your domain, DMARC will fail even if your DNS records look fine.

Misalignment with these platforms can result in your emails being flagged or blocked, which can affect deliverability and brand trust.

Solution:

  • Confirm that your third-party email services support DKIM signing using your domain and allow SPF alignment via envelope-from customization.
  • Always verify each platform’s documentation and test configurations.
  • Maintain a central list of all external senders used by your organization and periodically validate them for DMARC compliance.

No Reporting Address or Unreadable Reports

DMARC’s reporting function is one of its most powerful features, but only if it’s properly enabled. If you skip the rua (aggregate reports) or ruf (forensic reports) tags in your DMARC record, you lose all visibility into unauthorized sending attempts.

Even worse, if you do receive reports but direct them to a personal inbox, the volume and raw XML format can quickly become overwhelming and unusable.

Solution: Always specify rua and ruf tags in your DMARC record to activate reporting. Additionally, use a dedicated email address or a third-party DMARC report analyzer that can parse and visualize data in a digestible format.

Do You Really Need DMARC While Using Office 365?

There’s a common misconception among businesses: they feel that Office 365 ensures safety from spam and fraudulent emails. However, in May 2020, a series of phishing attacks were conducted on several Middle Eastern insurance firms. Attackers used Office 365, causing significant data loss and security breaches. So here’s what we learned from this: 

Reason 1: Microsoft’s security solution isn’t foolproof 

This is why simply relying on Microsoft’s integrated security solutions is not enough. External efforts must be made to protect your domain can be a huge mistake. 

Reason 2: You need to configure DMARC for Office 365 for protection against outbound attacks

While Office 365’s integrated security solutions can offer protection against inbound email threats and phishing attempts, you still need to ensure that outbound messages sent from your own domain are authenticated effectively before landing in the inboxes of your customers and partners. This is where DMARC for Office 365 steps in.

Reason 3: DMARC will help you monitor your email channels 

DMARC not only protects your domain against direct domain spoofing and phishing attacks. It also helps you monitor your email channels. Whether you are on an enforced policy like “reject/quarantine”, or on a more lenient policy like “none”, you can track your authentication results with DMARC reports. These reports are sent either to your email address or to a DMARC report analyzer tool. Monitoring ensures your legitimate emails are successfully delivered.

DMARC Reporting and Monitoring with PowerDMARC

PowerDMARC seamlessly integrates with Office 365 to empower domain owners with advanced authentication solutions that protect against sophisticated social engineering attacks like BEC and direct-domain spoofing. 

When you sign up with PowerDMARC you are signing up for a multi-tenant SaaS platform that not only assembles all email authentication best practices (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and BIMI) but also provides an extensive and in-depth dmarc reporting mechanism, that offers complete visibility into your email ecosystem. DMARC reports on the PowerDMARC dashboard are generated in two formats:

We have strived to make the authentication experience better for you by solving various industry problems. We ensure the encryption of your DMARC forensic reports as well as display aggregate reports in 7 different views for enhanced user experience and clarity. 

PowerDMARC helps you monitor email flow and authentication failures, and blacklist malicious IP addresses from all over the world. Our DMARC analyzer aids you in configuring DMARC correctly for your domain and shifting from monitoring to enforcement in no time. This can help you enable DMARC office 365 without worrying about the complexities involved.

Frequently Asked Questions

Is DMARC required for GDPR or other compliance frameworks?

DMARC isn’t explicitly required by GDPR or most compliance standards, but it supports data protection by preventing spoofing and unauthorized email use, helping meet broader security expectations.

Does DMARC work with Gmail and Yahoo email addresses?

DMARC protects your domain, not the inbox provider. However, major providers like Gmail and Yahoo enforce DMARC on incoming mail, making it essential for senders to pass authentication.

Can DMARC improve email open rates?

Indirectly, yes. Authenticated emails are less likely to be marked as spam or rejected, which means better inbox placement and increased chances of being opened.

Is there a cost to implementing DMARC?

Setting up DMARC is free if you manage your own DNS. However, you may choose paid tools or services to simplify monitoring, report analysis, and ongoing management.

Content Review and Fact-Checking Process

The information on the Office 365 DMARC setup process has been primarily sourced from official Microsoft documentation and practical experience. This documentation may be updated by Microsoft. The recommendations mentioned in the article, including the use of transport rules and gradual policy rollout, are based on industry best practices and real-world client experiences.

“`

Latest posts by Yunes Tarada (see all)
How to Flush DNS on Windows, Mac, Linux & BrowsersHow to flush DNSDMARC.-What-is-it-and-how-does-it-WorkDMARC.-What-is-it-and-how-does-it-WorkWhat Is DMARC? A Simple Guide to Email Protection