We need to enable MFA for Office 365 users for extra security. What is the…
How to configure DMARC for Office 365? We have already configured SPF and DKIM, and we like to set up DMARC for Office 365. DMARC is excellent for protecting the domain against abuse by phishers and spammers. In this article, we will look at how to configure DMARC for Office 365.
Table of contents
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
DMARC policy options
The following three DMARC policies are available to publish:
|Monitoring||p=none||Used to collect feedback and gain visibility into email streams without impacting existing flows|
|Quarantine||p=quarantine||Allows email receivers to treat email that fails the DMARC check as suspicious and files them in a SPAM folder|
|Reject||p=reject||Requests that email receivers reject email that fails the DMARC check|
Create Office 365 DMARC record
To create a DMARC record, follow these steps:
- Go to MxToolBox DMARC Record Generator
- Enter the domain name
- Click Check DMARC Record
- Start with a policy of none
- Fill in the email address that will receive the DMARC reports
- Copy the suggested DMARC record
Important: Always start with the policy of none, which is reporting mode. After a couple of weeks of monitoring and you are satisfied with the results, adjust the value to quarantine or reject.
Add Office 365 DMARC TXT record
Follow the below steps to add the DMARC TXT record for Office 365:
- Sign in to the domain’s registrar
- Open the domain DNS settings page
- Add the TXT record value which you copied in the previous step from the generator
In our example, the DMARC record looks like this:
Name TTL Type Value ---- --- ---- ----- _dmarc 5 min. TXT v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; fo=1
The change can take up to 24 hours, but most of the time, this will resolve within 5-15 minutes.
Verify Office 365 DMARC record
The below two examples will show how to verify that DMARC is set up for Office 365.
DMARC check tool
Check that the DMARC record is successfully published by following the steps:
- Go to MxToolBox DMARC Check Tool
- Fill in the domain name
- Click DMARC Lookup
The DMARC record is published.
The only warning is that the DMARC policy is not set as Quarantine or Reject. However, you can ignore that warning because you filled in the policy None for monitoring purposes.
Message header analyzer
Another excellent way to verify that DMARC is added, is to send an email from an Office 365 organization mailbox to an external email. After that, analyze the headers with Message Header Analyzer.
In our example, we sent an email from Amanda.Morgan@exoip.com to our private email address. The header shows dmarc=pass, which means that DMARC policy is found in DNS and the action=none because that’s what we set it up as.
After a couple of weeks of monitoring and you are satisfied with the results, change the policy from none to quarantine or reject.
Read more: Add domain to Office 365 tenant »
You learned how to configure DMARC record for Office 365. First, go to the MxToolbox DMARC Record Generator and create a DMARC record. After copying the DMARC record, sign in to the domain’s registrar and add the DMARC record as TXT. Finally, don’t forget to verify the DMARC record in MxToolBox or analyze the message in the Message Header Analyzer.
Did you enjoy this article? You may also like Turn off Microsoft Viva daily briefing. Don’t forget to follow us and share this article.