O365 – Easy Guide to Add DMARC

What is DMARC in O365?
Microsoft’s Office 365 (O365) supports DMARC (Domain-based Message Authentication, Reporting, and Conformance), an email authentication protocol that prevents spammers from using your domain to send fake emails that look like they come from your company. When spammers spoof your domain, it damages your domain’s reputation and hurts your email deliverability.
Starting Point: SPF and DKIM Setup
Before setting up DMARC, make sure your SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records are configured properly. For SPF, your DNS should include at least the tag:
v=spf1 mx include:spf.protection.outlook.com ?all
Both SPF and DKIM verify that emails are sent from authorized sources and haven’t been tampered with.
Understanding Inbound vs Outbound Emails in DMARC Context
Microsoft distinguishes between inbound and outbound email management:
-
Inbound emails are managed mainly by IT Operations.
-
Outbound emails are often sent by marketing, customer care, or other teams.
Both inbound and outbound emails require SPF, DKIM, and DMARC setup, but outbound emails often need additional attention, especially regarding subdomains and third-party vendor management.
Managing Third-Party Secure Email Gateways
Many O365 users employ third-party email gateways like ProofPoint, Cisco, Mimecast, etc., for added security. These gateways act as an extra inbound layer, requiring MX records to be updated to route mail through their infrastructure.
This setup means:
-
SPF validation in O365 might fail for emails coming from these gateways, so whitelist rules are needed.
-
DKIM signing should be configured on the gateway for outbound email since O365 DKIM can fail if gateways add disclaimers.
Alternative: Consider newer gateway services like Greathorn, which use OAuth/API integration without needing MX record changes.
O365 remains the primary email server, simplifying your setup.
Step-by-Step Guide to Adding DMARC
Step 1: Create a DMARC TXT record for a subdomain (e.g., _dmarc.yourdomain.com
). Use tools like DMARC Wizards or dashboards to generate your record. Start with a “monitoring” policy (p=none
) to collect reports without blocking emails.
Step 2: Use a DMARC dashboard to read XML reports, which will appear a few days after publishing the record. This helps identify legitimate and failing emails so you can adjust policies accordingly.
Note: While O365 has extra considerations, the overall DMARC setup is as straightforward as with Gmail or other providers.
Final Tips
- Regularly review DMARC reports to monitor email authentication health.
- Gradually enforce stricter policies like quarantine or reject to block spoofed emails.
- Remember, SPF and DKIM must be in place and correctly configured for DMARC to work.