All Collections
How To Remediate Security Issues
Securing Your Email
Configuring DMARC
How to add DMARC in Office 365 / Microsoft
How to add DMARC in Office 365 / Microsoft
A
Written by Anthony Marshi
Updated over a week ago

If you use Microsoft 365 but you aren't using a custom domain (you use onmicrosoft.com), SPF is already set up for you and Microsoft 365 automatically generates a DKIM signature for your outgoing mail (for more information about this signature, see Default behavior for DKIM and Microsoft 365).

To set up DMARC for your organization, you need to Form the DMARC TXT record for the onmicrosoft.com domain and publish it to DNS via

Office 365 Admin Center > Settings > Domains > click on onmicrosoft.com domain > Add record.

If you have a custom domain or are using on-premises Exchange servers along with Microsoft 365, you need to manually set up DMARC for your outbound mail. Setting up DMARC for your custom domain includes these steps:

Step 1: Identify valid sources of mail for your domain

If you have already set up SPF, then you've already gone through this exercise. There are some further considerations for DMARC. When identifying sources of mail for your domain, answer these two questions:

  • What IP addresses send messages from my domain?

  • For mail sent from third parties on my behalf, will the 5321.MailFrom and 5322.From domains match?

Step 2: Set up SPF for your domain

Now that you have a list of all your valid senders you can follow the steps to Set up SPF to help prevent spoofing.

For example, assuming contoso.com sends mail from Exchange Online, an on-premises Exchange server whose IP address is 192.168.0.1, and a web application whose IP address is 192.168.100.100, the SPF TXT record would look like this:

ConsoleCopy

contoso.com IN TXT " v=spf1 ip4:192.168.0.1 ip4:192.168.100.100 include:spf.protection.outlook.com -all"

As a best practice, ensure that your SPF TXT record takes into account third-party senders.

Step 3: Set up DKIM for your custom domain

Once you've set up SPF, you need to set up DKIM. DKIM lets you add a digital signature to email messages in the message header. If you don't set up DKIM and instead allow Microsoft 365 to use the default DKIM configuration for your domain, DMARC may fail. This failure can happen because the default DKIM configuration uses your original onmicrosoft.com domain as the 5321.MailFrom address, not your custom domain. This creates a mismatch between the 5321.MailFrom and the 5322.From addresses in all the email sent from your domain.

If you have third-party senders that send mail on your behalf and the mail they send has mismatched 5321.MailFrom and 5322.From addresses, DMARC will fail for that email. To avoid this, you need to set up DKIM for your domain specifically with that third-party sender. This allows Microsoft 365 to authenticate email from this 3rd-party service. However, it also allows others, for example, Yahoo, Gmail, and Comcast, to verify email sent to them by the third-party as if it was email sent by you. This is beneficial because it allows your customers to build trust with your domain no matter where their mailbox is located, and at the same time Microsoft 365 won't mark a message as spam due to spoofing because it passes authentication checks for your domain.

For instructions on setting up DKIM for your domain, including how to set up DKIM for third-party senders so they can spoof your domain, see Use DKIM to validate outbound email sent from your custom domain.

Step 4: Form the DMARC TXT record for your domain

Although there are other syntax options that aren't mentioned here, these are the most commonly used options for Microsoft 365. Form the DMARC TXT record for your domain in the format:

ConsoleCopy

_dmarc.domain TTL IN TXT "v=DMARC1; p=policy; pct=100"

Where:

  • domain is the domain you want to protect. By default, the record protects mail from the domain and all subdomains. For example, if you specify _dmarc.contoso.com, then DMARC protects mail from the domain and all subdomains, such as housewares.contoso.com or plumbing.contoso.com.

  • TTL should always be the equivalent of one hour. The unit used for TTL, either hours (1 hour), minutes (60 minutes), or seconds (3600 seconds), will vary depending on the registrar for your domain.

  • pct=100 indicates that this rule should be used for 100% of email.

  • policy specifies what policy you want the receiving server to follow if DMARC fails. You can set the policy to none, quarantine, or reject.

For information about which options to use, become familiar with the concepts in Best practices for implementing DMARC in Microsoft 365.

Examples:

  • Policy set to none

    ConsoleCopy

    _dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=none"

  • Policy set to quarantine

    ConsoleCopy

    _dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=quarantine"

  • Policy set to reject

    ConsoleCopy

    _dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=reject"

Once you've formed your record, you need to update the record at your domain registrar.

Did this answer your question?