Skip to content

Configure DMARC record for Microsoft 365

Your organization has already set up SPF and DKIM, so the last step is configuring the DMARC record. It’s the ultimate combination to protect your domain against spam and phishing attacks. In this article, you will learn how to configure the DMARC record for Microsoft 365 domain.

What are SPF, DKIM, and DMARC?

DMARC, DKIM, and SPF are three email authentication methods. Together they help to prevent spammers, phishers, and other unauthorized parties from sending emails on behalf of a domain they do not own.

  1. Configure SPF record for Microsoft 365
  2. Configure DKIM record for Microsoft 365
  3. Configure DMARC record for Microsoft 365 (this article)

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an email authentication protocol that plays an important role with SPF and DKIM. With DMARC, you can improve your email deliverability and security.

DMARC Policy and Report

Once SPF and DKIM are in place, you can publish a DMARC policy in your DNS record. The DMARC policy specifies what actions the email receivers should take if an incoming email fails SPF or DKIM checks.

The DMARC policy has three different modes you can set:

  • None (monitoring mode) – The domain owner receives reports about failed authentication attempts but doesn’t instruct email receivers to take any specific action.
  • Quarantine – The email receiver should treat emails that fail authentication as suspicious and deliver them to the recipient’s spam or quarantine folder.
  • Reject – The email receiver should reject and not deliver emails that fail authentication.

DMARC also provides detailed reports on email authentication results to domain owners. The report indicates whether emails were successfully authenticated, failed, or not authenticated. The DMARC report is important, as it can tell when legitimate emails are failing SPF and DKIM or a spammer is trying to send a legitimate email.

Configure DMARC in Microsoft 365

You need to create a DMARC record with a tool. Then copy and add the DMARC TXT record to the DNS.

1. Create DMARC record in Microsoft 365

To create a DMARC record, follow these steps:

  1. Go to MxToolBox DMARC Record Generator
  2. Type the Domain Name
  3. Click Check DMARC Record

How to create a DMARC record:

  1. Select None
  2. Type the email address that will receive the DMARC reports
  3. Type the email address that will receive the DMARC reports again
  4. Select No
  5. Copy the suggested DMARC record

Note: You need to add an email address that will receive the DMARC reports.

2. Add DMARC TXT record for Microsoft 365 to DNS

After we create the DMARC record, we must add the DMARC TXT record to our public DNS server. In our example, we need to add the below information.

Type: TXT
Host/Name: _DMARC.m365info.com
Value: v=DMARC1; p=none; rua=mailto:dmarc@m365info.com; ruf=mailto:dmarc@m365info.com; fo=1

To add the Microsoft 365 DMARC TXT record, follow the below steps:

  1. Sign into your provider (Cloudflare)
  2. Go to DNS records
  3. Add TXT
  4. Type hostname: _dmarc
  5. Add the DMARC TXT record value, which you copied in the previous step from the generator

Add the DMARC record just as in the below screenshot.

Note: It can take up to 24 hours to complete the DMARC changes, but most of the time, it will resolve within 15 minutes.

Verify DMARC TXT record

To verify the DMARC record is set up for Microsoft 365 correctly, we will use different methods. The MxToolBox and Dmarcian tests only show if you published the DMARC record correctly into your DNS. It does not mean it includes the DMARC authentication when sending emails. Therefore you also need to send a test mail and analyze the message header.

Check DMARC with MxToolbox

To check the DMARC record, follow these steps:

  1. Go to MxToolBox DMARC Check Tool
  2. Fill in the Domain Name
  3. Click DMARC Lookup
Configure DMARC record check MxToolBox
  1. The DMARC record result is green, which means it’s published successfully
  2. There is a warning for DMARC policy because it’s not set as Quarantine or Reject

The result is correct because we set the DMARC policy as None for monitoring purposes

Configure DMARC record check MxToolBox

Note: If you are satisfied with the DMARC results after a month, you can change the policy from none to quarantine or reject.

  1. Go to your DNS provider and change the policy from p=none to p=reject or p=quarantine
  2. Then test the DMARC record in MxToolBox again

In our example, the DMARC policy is enabled, and it’s changed to p=reject.

DMARC record found results published policy reject

You configured the DMARC record correctly!

Check DMARC with Dmarcian

Check your DMARC record with Dmarcian DMARC Record Checker:

  1. Enter your domain
  2. Click Inspect The Domain
Dmarc Record Checker in Dmarcian

Scroll down to see the results and information about the DMARC record.

  1. It shows the DMARC record is valid, and the DMARC policy is set to p=reject
Dmarcian check DMARC record is valid

Check DMARC with Gmail

Another way to verify that DMARC is added successfully is by sending a test email from a Microsoft 365 organization mailbox to an external email (Gmail).

In our example, we sent an email from Amanda.Hansen@m365info.com to an external email address, bob.green@gmail.com.

Go to the recipient’s Gmail inbox to view the original email header:

  1. Open the email
  2. Click the three dots
  3. Click Show original
Configure DMARC record email test message header
  1. The information about DMARC shows PASS

The Gmail original message doesn’t show if DMARC failed the test but removes the entire DMARC row. So when you can’t find DMARC in the original message, it means you did not set it up, or it’s incorrectly configured.

Configure DMARC record PASS original message headers

Check DMARC with CheckTLS

Test your DMARC authentication in the message header with the CheckTLS tool:

  1. Go to CheckTLS
  2. Click on Select Extra Items to Show
  3. Select DMARC Info
  4. Click Start Listener
CheckTLS email test with DMARC info

In our example, we will send an email from Amanda.Hansen@m365info.com.

Follow these steps to send a test email:

  1. Copy and paste the address to test@TestSender.CheckTLS.com
  2. Copy and paste the passcode in the subject of the email
  3. Type DMARC in the message
CheckTLS send email test with DMARC
  1. Create a new email with the required information
  2. Send the test email
CheckTLS send email test DMARC

After you send the email, you need to check your inbox because you will get an email from CheckTLS.

  1. Open the email from CheckTLS to see the report
  2. The results show DMARC_result: pass, which means the email was sent successfully

Also, check which DMARC policy you published > DMARC_published.p: reject. In our example, we changed it from p=none to p=reject in our DNS. The results should not be p: none because it means you did not implement DMARC completely.

CheckTLS DMARC successful email test

Frequently Asked Questions (FAQ)

Do I need to set up DMARC?

Yes, it’s important to set up DMARC to protect your domain. It requires configuring a valid SPF and DKIM because these authentication methods can distinguish legitimate emails from fake ones.

What is a DMARC record?

A DMARC record is a DNS (Domain Name System) TXT record you publish at your DNS hosting provider. The DMARC record contains information about the domain’s DMARC policy. It specifies what actions the email receivers should take if an incoming email fails SPF or DKIM checks.

Is DMARC the only required email authentication method to set up?

DMARC is only a part of the three email authentication methods. Every organization should implement the mail security standards SPF, DKIM, and DMARC.

Conclusion

You learned how to configure the DMARC record for Microsoft 365. Create a DMARC record with the MxToolbox DMARC Record Generator. Then copy the DMARC record, and add the DMARC TXT record into your DNS. Verify you published a valid DMARC record by performing a DMARC test in MxToolBox or Dmarcian. Also, check the DMARC authentication in the message header by sending a test email with CheckTLS.

Did you enjoy this article? You may also like Configure Catch all Mailbox in Microsoft 365. Don’t forget to follow us and share this article.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *