How to Set Up DMARC for Microsoft 365

Publish a DMARC policy to protect your Microsoft 365 domain from spoofing and phishing by instructing receivers how to handle unauthenticated email.

Quick Answer — The Record You Need

Record Type

TXT

Host / Name

_dmarc

Value

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Start with p=none to monitor before enforcing. Ensure SPF and DKIM pass first.

Step-by-Step Setup

Confirm SPF and DKIM are working

DMARC requires at least one of SPF or DKIM to pass and align. Verify both are set up for your Microsoft 365 domain.

Decide on a reporting address

Choose a mailbox or DMARC reporting service to receive aggregate (rua) and forensic (ruf) reports.

Create the DMARC TXT record

Add a TXT record in your DNS with host _dmarc and your policy value.

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Analyze reports and authenticate all senders

Monitor aggregate reports for 2-4 weeks. Ensure all legitimate senders (marketing platforms, CRM, etc.) pass SPF or DKIM with domain alignment.

Move to enforcement

Gradually tighten the policy: p=quarantine with pct=25, then pct=50, pct=100, and finally p=reject.

v=DMARC1; p=reject; rua=mailto:[email protected]; fo=1

Before & After

Before

(no DMARC record)

After

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Common Gotchas

Microsoft 365 emails pass DKIM alignment only if you have enabled custom DKIM signing with your domain. The default *.onmicrosoft.com signing will not align with your custom domain.
If you have third-party services sending as your domain (marketing tools, CRMs), they must be included in SPF or set up their own DKIM signing before you enforce DMARC.
Microsoft provides DMARC reports for mail received by Microsoft 365 users. To receive them for your domain, you must publish the rua tag in your DMARC record.

Verify Your Setup

After adding your DNS records, use our free DMARC checker to verify everything is configured correctly. DNS changes typically propagate within minutes, but can take up to 48 hours.

Frequently Asked Questions

Do I need DMARC if I already have SPF and DKIM on Microsoft 365?

Yes. SPF and DKIM authenticate email, but DMARC tells receiving servers what to do when authentication fails. Without DMARC, receivers make their own decisions about unauthenticated mail.

Can Microsoft 365 send DMARC aggregate reports?

Yes. Microsoft 365 (Exchange Online Protection) sends DMARC aggregate reports to domains that have a rua tag in their DMARC record.

What should my final DMARC policy be for Microsoft 365?

The recommended final policy is p=reject, which instructs receivers to reject any email that fails DMARC authentication. Only move to reject after confirming all legitimate senders pass.