Skip to main content

How to configure DMARC for Office 365? We have already configured  SPF  and  DKIM, and we like to set up DMARC for Office 365. DMARC is excellent for protecting the domain against abuse by phishers and spammers. In this article, we will look at how to configure DMARC for Office 365.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and KIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

DMARC policy options

The following three DMARC policies are available to publish:

Option Policy Description
Monitoring p=none Used to collect feedback and gain visibility into email streams without impacting existing flows
Quarantine p=quarantine Allows email receivers to treat email that fails the DMARC check as suspicious and files them in a SPAM folder
Reject p=reject Requests that email receivers reject email that fails the DMARC check

Create Office 365 DMARC record

To create a DMARC record, follow these steps:

Configure DMARC record for Office 365 generator
  • Start with a policy of none
  • Fill in the email address that will receive the DMARC reports
  • Copy the suggested DMARC record

Important: Always start with the policy of none, which is reporting mode. After a couple of weeks of monitoring and you are satisfied with the results, adjust the value to quarantine or reject.

Configure DMARC record for Office 365 suggested record

Add Office 365 DMARC TXT record

Follow the below steps to add the DMARC TXT record for Office 365:

  • Sign in to the domain’s registrar
  • Open the domain DNS settings page
  • Add the TXT record value which you copied in the previous step from the generator

In our example, the DMARC record looks like this:

Name     TTL      Type   Value
----     ---      ----   -----
_dmarc   5 min.   TXT    v=DMARC1; p=none;;; fo=1
Configure DMARC record for Office 365 DNS

The change can take up to 24 hours, but most of the time, this will resolve within 5-15 minutes.

Verify Office 365 DMARC record

The below two examples will show how to verify that DMARC is set up for Office 365.

DMARC check tool

Check that the DMARC record is successfully published by following the steps:

DMARC check tool

The DMARC record is published.

The only warning is that the DMARC policy is not set as Quarantine or Reject. However, you can ignore that warning because you filled in the policy None for monitoring purposes.

Configure DMARC record for Office 365 DMARC policy not enabled

Message header analyzer

Another excellent way to verify that DMARC is added, is to send an email from an Office 365 organization mailbox to an external email. After that, analyze the headers with Message Header Analyzer.

In our example, we sent an email from to our private email address. The header shows dmarc=pass, which means that DMARC policy is found in DNS and the action=none because that’s what we set it up as.

After a couple of weeks of monitoring and you are satisfied with the results, change the policy from none to quarantine or reject.

Leave a Reply