Configure DMARC record for Office 365

How to configure DMARC for Office 365? We have already configured SPF and DKIM, and we like to set up DMARC for Office 365. DMARC is excellent for protecting the domain against abuse by phishers and spammers. In this article, we will look at how to configure DMARC for Office 365.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

DMARC policy options

The following three DMARC policies are available to publish:

Option	Policy	Description
Monitoring	p=none	Used to collect feedback and gain visibility into email streams without impacting existing flows
Quarantine	p=quarantine	Allows email receivers to treat email that fails the DMARC check as suspicious and files them in a SPAM folder
Reject	p=reject	Requests that email receivers reject email that fails the DMARC check

Create Office 365 DMARC record

To create a DMARC record, follow these steps:

• Go to MxToolBox DMARC Record Generator
• Enter the domain name
• Click Check DMARC Record

• Start with a policy of none
• Fill in the email address that will receive the DMARC reports
• Copy the suggested DMARC record

Important: Always start with the policy of none, which is reporting mode. After a couple of weeks of monitoring and you are satisfied with the results, adjust the value to quarantine or reject.

Add Office 365 DMARC TXT record

Follow the below steps to add the DMARC TXT record for Office 365:

• Sign in to the domain’s registrar
• Open the domain DNS settings page
• Add the TXT record value which you copied in the previous step from the generator

In our example, the DMARC record looks like this:

Name     TTL      Type   Value
----     ---      ----   -----
_dmarc   5 min.   TXT    v=DMARC1; p=none; rua=mailto:dmarc@exoip.com; ruf=mailto:dmarc@exoip.com; fo=1

The change can take up to 24 hours, but most of the time, this will resolve within 5-15 minutes.

Verify Office 365 DMARC record

The below two examples will show how to verify that DMARC is set up for Office 365.

DMARC check tool

Check that the DMARC record is successfully published by following the steps:

• Go to MxToolBox DMARC Check Tool
• Fill in the domain name
• Click DMARC Lookup

The DMARC record is published.

The only warning is that the DMARC policy is not set as Quarantine or Reject. However, you can ignore that warning because you filled in the policy None for monitoring purposes.

Message header analyzer

Another excellent way to verify that DMARC is added, is to send an email from an Office 365 organization mailbox to an external email. After that, analyze the headers with Message Header Analyzer.

In our example, we sent an email from Amanda.Morgan@exoip.com to our private email address. The header shows dmarc=pass, which means that DMARC policy is found in DNS and the action=none because that’s what we set it up as.

After a couple of weeks of monitoring and you are satisfied with the results, change the policy from none to quarantine or reject.

Read more: Add domain to Office 365 tenant »

Conclusion

You learned how to configure DMARC record for Office 365. First, go to the MxToolbox DMARC Record Generator and create a DMARC record. After copying the DMARC record, sign in to the domain’s registrar and add the DMARC record as TXT. Finally, don’t forget to verify the DMARC record in MxToolBox or analyze the message in the Message Header Analyzer.

Did you enjoy this article? You may also like Turn off Microsoft Viva daily briefing. Don’t forget to follow us and share this article.