set up DMARC in Office 365

Don’t know how to set up DMARC in Office 365? Don’t worry! We’ve got you covered.

Phishing attacks have become increasingly common, with significant breaches occurring, such as the May 2020 attacks on several insurance firms in the Middle East. These attacks led to considerable data loss and security breaches, primarily targeting Office 365 users.

To prevent such threats, Microsoft now strongly recommends that all Office 365 users implement DMARC to enhance email security.

In this guide, we’ll walk you through the steps to set up DMARC for your Office 365 emails, whether you use online email routing addresses with Microsoft, have custom domains added in the admin center, or even have parked or inactive registered domains.

We will also explain why and how to prepare your DMARC record for Office 365.

Ready? Let’s get started!

3 Reasons Why You Should Set Up DMARC in Office 365? 

Office 365 includes robust anti-spam solutions and email security gateways, so you might wonder why DMARC is necessary for authentication. While these solutions protect against inbound phishing emails, they don’t address outbound phishing threats.

Here are three compelling reasons to set up DMARC in Office 365:

Reason #1: Improve Security for Microsoft 365 Emails

Microsoft’s integrated security solutions aren’t foolproof. They protect against inbound threats but leave a gap in outbound email security. Relying solely on built-in defenses can leave your domain vulnerable to phishing attacks and impersonation attempts. Implementing DMARC adds an essential layer of protection.

Reason #2: Protect Against Outbound Attacks

Office 365’s security features protect your incoming emails, but it is crucial to make sure your outgoing messages are authenticated. DMARC helps verify that emails sent from your domain are legitimate, reducing the risk of them being marked as spam or, worse, used in phishing attacks targeting your customers and partners.

Reason #3: Monitor and Improve Email Deliverability

DMARC does more than just protect against spoofing and phishing. It allows you to monitor your email channels. With DMARC reports, you can track the results of your email authentication and ensure that your legitimate messages reach their intended recipients. This monitoring is vital for maintaining effective communication and improving overall email deliverability.

Remember, DMARC relies on two commonly used email authentication methods, SPF and DKIM, to verify the authenticity of emails. By enforcing a DMARC policy in Office 365, you can significantly enhance protection against impersonation and spoofing attacks.

Prerequisite Before Setting Up DMARC in Office 365

Before you set up DMARC in Office 365, there are a few prerequisites to consider.

As per Microsoft’s documents:

  • For custom domains like example.com, you must manually configure SPF, DKIM, and DMARC. This ensures comprehensive email authentication for your domain.
  • For parked or inactive domains, you must specify that no emails should be sent from them. This prevents these domains from being exploited for spoofing and phishing attacks.
  • If you use a Microsoft Online Email Routing Address (MOERA) ending with onmicrosoft.com, SPF and DKIM are already configured. However, you will still need to create your DMARC records through the Microsoft 365 admin center.

3 Easy Methods to Set Up DMARC in Office 365 [Step-by-Step]

Before we proceed with the methods for setting up DMARC in Office 365, you need to prepare your DMARC TXT record for your domain. Here’s a breakdown of what a DMARC record looks like and how to set it up.

Understanding the Syntax of DMARC TXT Record

A DMARC record might look complex at first glance, but it consists of straightforward components. Here’s an example:

v=DMARC1; p=none; rua=mailto:youremail@yourdomain.com

This record includes three key elements: the version (V), the policy (P), and the reporting address (RUA).

Version (V)

  • The “V” stands for version. Currently, there’s only one valid version of DMARC, so this value is always v=DMARC1.

Policy (P)

  • The “P” specifies the policy, telling email servers how to handle emails that fail authentication. There are three policy options:
    • none: The server does nothing if an email fails authentication. This option is useful during the initial monitoring phase.
    • quarantine: Emails that fail authentication are sent to the spam folder.
    • reject: Emails that fail authentication are not delivered at all. Use this option only after thoroughly analyzing DMARC reports.

NOTE: There is an additional optional tag in the DMARC called “pct,” which you can use next to “Policy (P).” DMARC record pct values range from 1 to 100, with 100 being the default if not specified. For instance, a record set to p=reject; pct=50 will reject 50% of emails, while the remaining 50% will be handled according to the next lower policy, which is typically quarantine.

Reporting Address (RUA)

  • The “RUA” tag specifies the email address where DMARC reports should be sent. These reports help you monitor email authentication results and adjust your settings as needed.

What Example DMARC Record Tells?

v=DMARC1; p=none; rua=mailto:youremail@yourdomain.com

This record instructs email servers to monitor emails without taking any action against those that fail authentication and to send reports to the specified email address.

Now, depending on your domain, you can proceed with any of the following methods.

Method #1: Set Up DMARC in Office 365 for *.onmicrosoft.com Domains

To add your Office 365 DMARC record for MOERA (Microsoft Online Email Routing Address) domains, follow these steps:

Step #1: Access the Microsoft 365 Admin Center

  • Go to the Microsoft 365 admin center at https://admin.microsoft.com.
  • Select “Show all” > “Settings” > “Domains”. Alternatively, use this link to go directly to the Domains page.

Step #2: Select Your Domain

  • On the Domains page, locate and select your *.onmicrosoft.com domain from the list. Click anywhere in the row except the checkbox next to the domain name.

Step #3: Open DNS Records Tab

  • On the domain details page that opens, click on the “DNS records” tab.

Step #4: Add a New DNS Record

  • On the DNS records tab, select “Add record”.

Step #5: Configure DMARC Settings

  • In the “Add a custom DNS record” flyout that opens, configure the following settings:
    • Type: Ensure “TXT (Text)” is selected.
    • TXT name: Enter “_dmarc”.
    • TXT value: Enter “v=DMARC1; p=reject”.

Pro Tip: To specify destinations for the DMARC Aggregate and Forensic reports, use “v=DMARC1; p=reject; rua=mailto:<emailaddress>; ruf=mailto:<emailaddress>”. For example, “v=DMARC1; p=reject; rua=mailto

  • @contoso.onmicrosoft.com; ruf=mailto
  • @contoso.onmicrosoft.com”.
  • DMARC reporting vendors in the MISA Catalog can help you view and interpret DMARC results.
  • TTL: Ensure “1 hour” is selected.

Step #6: Save Your Record

  • After entering all the necessary information, select “Save” to add the new DNS record.

Method #2: Set Up DMARC in Office 365 for a Custom Domain

Before you configure DMARC for a custom domain or subdomain in Office 365, make sure you have created SPF TXT records and configured DKIM signing for all custom domains and subdomains used to send emails.

We recommend a gradual approach to setting up DMARC to avoid legitimate emails being rejected due to unintentional DMARC failures. Your ultimate goal should be to achieve a “p=reject” DMARC policy for all custom domains and subdomains.

Start with a domain or subdomain with low email volume or fewer potential email sources to minimize the chance of blocking legitimate emails from unknown sources. 

Begin with a “p=none” DMARC policy and monitor the results to see how much of your legitimate mail traffic is covered by DMARC and to troubleshoot any issues. This will also reveal the number of fraudulent messages and their sources.

To configure DMARC in Office 365 for custom domains, follow the steps below:

Step #1: Start with a ‘p=none’ DMARC Policy

  • DMARC TXT Record for Example Domain:
    • Hostname: _dmarc
    • TXT value: v=DMARC1; p=none; pct=100; rua=mailto
    • @example.com; ruf=mailto
    • @example.com
  • Monitor the DMARC Aggregate and Forensic reports to understand the sources of messages that pass and fail DMARC checks.

Step #2: Increase to ‘p=quarantine’ DMARC Policy

  • After monitoring the effects of the “p=none” policy, increase the DMARC policy to “p=quarantine”.
  • DMARC TXT Record for Example Domain:
    • Hostname: _dmarc
    • TXT value: v=DMARC1; p=quarantine; pct=100; rua=mailto
    • @example.com; ruf=mailto
    • @example.com
  • Use the “pct=” value to gradually affect more messages in increments such as pct=10, pct=25, pct=50, pct=75, and pct=100.

Step #3: Move to ‘p=reject’ DMARC Policy

  • After monitoring the effects of the “p=quarantine” policy, increase the DMARC policy to “p=reject”.
  • DMARC TXT Record for Example Domain:
    • Hostname: _dmarc
    • TXT value: v=DMARC1; p=reject; pct=100; rua=mailto
    • @example.com; ruf=mailto
    • @example.com
  • Gradually increase the “pct=” value as you verify the results.

Repeat these steps for the remaining subdomains with increasing volume and complexity, saving the parent domain for last. Remember, subdomains inherit the DMARC TXT record settings of the parent domain unless overridden by a separate DMARC TXT record in the subdomain.

Once DMARC is effectively set up for the parent domain and all subdomains, you can remove the DMARC TXT records in the subdomains and rely on the single DMARC TXT record in the parent domain.

Method #3: Set Up DMARC in Office 365 for Parked Domains

For parked domains, which are inactive domains that don’t send emails, you should prevent them from being used for spoofing and phishing attacks. Follow these steps to set up DMARC in Office 365 for parked domains:

Step #1: Create SPF TXT Record for Parked Domains

  • Refer to Microsoft’s guidelines on creating SPF TXT records for parked domains that don’t send mail. Avoid setting up DKIM CNAME records for parked domains, as they are not recommended.

Step #2: Create a DMARC TXT Record

  • Log in to your domain registrar’s control panel.
  • Navigate to the DNS settings for the parked domain.
  • Add a DMARC TXT Record:
    • Hostname: _dmarc
    • TXT value: v=DMARC1; p=reject;
  • Note that you don’t need to include the pct= value because the default is pct=100.

Step #3: Omit Unnecessary Values

  • Since no valid emails should originate from a parked domain, you don’t need to include rua=mailto: or ruf=mailto: values in the DMARC TXT record.

IMPORTANT NOTE: If you don’t use the *.onmicrosoft.com domain to send mail, you still need to add a DMARC TXT record for this domain as well.

That’s it! If all goes well, your DMARC record should now be set up in Office 365.

You might also want to read 👉 How to Set Up SPF Record for Office 365 in 3 Simple Ways]

Final Thoughts

To secure your emails from phishing and spoofing, you need to configure DMARC in Office 365. First, understand the DMARC record’s syntax, then configure it for your domain in stages.

For Office 365 users, you have to create and adjust the DMARC records gradually. Start with a policy of p=none to monitor email traffic and identify potential issues. Gradually shift to p=quarantine and then p=reject as you fine-tune your settings and gain confidence in your DMARC implementation.

Remember, you must set up SPF, DKIM, and MX records before you create and configure your DMARC record. Additionally, if you’re using a new email address or domain, it’s important to warm it up gradually. Failing to do so can result in your emails being marked as spam.

If you need any help regarding setting up SPF, DKIM, and DMARC, feel free to contact us for expert assistance. Our team of experts is always ready to help you regarding all your email related issues.