Configure DMARC record for Microsoft 365 (2024)

Your organization has already set up SPF and DKIM, so the last step is configuring the DMARC record. It’s the ultimate combination to protect your domain against spam and phishing attacks. In this article, you will learn how to configure the DMARC record for Microsoft 365 domain.

What are SPF, DKIM, and DMARC?

DMARC, DKIM, and SPF are three email authentication methods. Together they help to prevent spammers, phishers, and other unauthorized parties from sending emails on behalf of a domain they do not own.

1. Configure SPF record for Microsoft 365
2. Configure DKIM record for Microsoft 365
3. Configure DMARC record for Microsoft 365 (this article)

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an email authentication protocol that plays an important role with SPF and DKIM. With DMARC, you can improve your email deliverability and security.

DMARC Policy and Report

Once SPF and DKIM are in place, you can publish a DMARC policy in your DNS record. The DMARC policy specifies what actions the email receivers should take if an incoming email fails SPF or DKIM checks.

The DMARC policy has three different modes you can set:

• None (monitoring mode) – The domain owner receives reports about failed authentication attempts but doesn’t instruct email receivers to take any specific action.
• Quarantine – The email receiver should treat emails that fail authentication as suspicious and deliver them to the recipient’s spam or quarantine folder.
• Reject – The email receiver should reject and not deliver emails that fail authentication.

DMARC also provides detailed reports on email authentication results to domain owners. The report indicates whether emails were successfully authenticated, failed, or not authenticated. The DMARC report is important, as it can tell when legitimate emails are failing SPF and DKIM or a spammer is trying to send a legitimate email.

Configure DMARC in Microsoft 365

You need to create a DMARC record with a tool. Then copy and add the DMARC TXT record to the DNS.

1. Create DMARC record in Microsoft 365

To create a DMARC record, follow these steps:

1. Go to MxToolBox DMARC Record Generator
2. Type the Domain Name
3. Click Check DMARC Record

How to create a DMARC record:

4. Select None
5. Type the email address that will receive the DMARC reports
6. Type the email address that will receive the DMARC reports again
7. Select No
8. Copy the suggested DMARC record

Note: You need to add an email address that will receive the DMARC reports.

2. Add DMARC TXT record for Microsoft 365 to DNS

After we create the DMARC record, we must add the DMARC TXT record to our public DNS server. In our example, we need to add the below information.

Type: TXTHost/Name: _DMARC.m365info.comValue: v=DMARC1; p=none; rua=mailto:dmarc@m365info.com; ruf=mailto:dmarc@m365info.com; fo=1

To add the Microsoft 365 DMARC TXT record, follow the below steps:

1. Sign into your provider (Cloudflare)
2. Go to DNS records
3. Add TXT
4. Type hostname: _dmarc
5. Add the DMARC TXT record value, which you copied in the previous step from the generator

Add the DMARC record just as in the below screenshot.

Note: It can take up to 24 hours to complete the DMARC changes, but most of the time, it will resolve within 15 minutes.

Verify DMARC TXT record

To verify the DMARC record is set up for Microsoft 365 correctly, we will use different methods. The MxToolBox and Dmarcian tests only show if you published the DMARC record correctly into your DNS. It does not mean it includes the DMARC authentication when sending emails. Therefore you also need to send a test mail and analyze the message header.

Check DMARC with MxToolbox

To check the DMARC record, follow these steps:

1. Go to MxToolBox DMARC Check Tool
2. Fill in the Domain Name
3. Click DMARC Lookup

4. The DMARC record result is green, which means it’s published successfully
5. There is a warning for DMARC policy because it’s not set as Quarantine or Reject

The result is correct because we set the DMARC policy as None for monitoring purposes

Note: If you are satisfied with the DMARC results after a month, you can change the policy from none to quarantine or reject.

6. Go to your DNS provider and change the policy from p=none to p=reject or p=quarantine
7. Then test the DMARC record in MxToolBox again

In our example, the DMARC policy is enabled, and it’s changed to p=reject.

You configured the DMARC record correctly!

Check DMARC with Dmarcian

Check your DMARC record with Dmarcian DMARC Record Checker:

1. Enter your domain
2. Click Inspect The Domain

Scroll down to see the results and information about the DMARC record.

3. It shows the DMARC record is valid, and the DMARC policy is set to p=reject

Check DMARC with Gmail

Another way to verify that DMARC is added successfully is by sending a test email from a Microsoft 365 organization mailbox to an external email (Gmail).

In our example, we sent an email from Amanda.Hansen@m365info.com to an external email address, bob.green@gmail.com.

Go to the recipient’s Gmail inbox to view the original email header:

1. Open the email
2. Click the three dots
3. Click Show original

4. The information about DMARC shows PASS

The Gmail original message doesn’t show if DMARC failed the test but removes the entire DMARC row. So when you can’t find DMARC in the original message, it means you did not set it up, or it’s incorrectly configured.

Check DMARC with CheckTLS

Test your DMARC authentication in the message header with the CheckTLS tool:

1. Go to CheckTLS
2. Click on Select Extra Items to Show
3. Select DMARC Info
4. Click Start Listener

In our example, we will send an email from Amanda.Hansen@m365info.com.

Follow these steps to send a test email:

5. Copy and paste the address to test@TestSender.CheckTLS.com
6. Copy and paste the passcode in the subject of the email
7. Type DMARC in the message

8. Create a new email with the required information
9. Send the test email

After you send the email, you need to check your inbox because you will get an email from CheckTLS.

10. Open the email from CheckTLS to see the report
11. The results show DMARC_result: pass, which means the email was sent successfully

Also, check which DMARC policy you published > DMARC_published.p: reject. In our example, we changed it from p=none to p=reject in our DNS. The results should not be p: none because it means you did not implement DMARC completely.

Frequently Asked Questions (FAQ)

Conclusion

You learned how to configure the DMARC record for Microsoft 365. Create a DMARC record with the MxToolbox DMARC Record Generator. Then copy the DMARC record, and add the DMARC TXT record into your DNS. Verify you published a valid DMARC record by performing a DMARC test in MxToolBox or Dmarcian. Also, check the DMARC authentication in the message header by sending a test email with CheckTLS.

Did you enjoy this article? You may also like Configure Catch all Mailbox in Microsoft 365. Don’t forget to follow us and share this article.