What is DMARC?
DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is a technique that helps receivers verify the authenticity of emails sent from your domain. Domain administrators use DMARC records to publish the email authentication policy used to protect against cyberattacks such as email spoofing and phishing.
DMARC records are published on your DNS as a plain text file, most likely named as “_dmarc.yourdomain.com,” where “yourdomain.com” is your actual domain name.
Using DMARC records, you can instruct receiving servers on what they should do with emails that have failed authentication tests. For example, you might request that emails that have failed the authentication test be quarantined into a spam folder. A DMARC record is what contains the DMARC policy that informs ISPs (like Gmail, Yahoo!, Microsoft’s Office 365, and other email servers) if a domain is set up to use DMARC.In this article, we’ll cover how to set up your DMARC records in the Microsoft Office 365 admin center to ensure your emails and deliverability rates are protected.
How do I enable DMARC in Office 365?
This is a common question that gets asked quite often. We can split the topic up into inbound and outbound mail.
For inbound mail, DMARC is automatically validated by Office 365, regardless of whether it is hosted on a custom domain or not.
For outbound mail, the answer is a little more specific. For those that are not using a custom domain (eg. their email is hosted at a domain like onmicrosoft.com), their DMARC records are handled automatically. However, for those that have their own custom domain or use an on-premise exchange server, some work is required. These customers must configure their DMARC settings for their domain themselves to enable DMARC for outbound mail sending.
Setting up your DMARC record on Office 365
A few notes before you begin
- Enforcing DMARC means that you need to have SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) set up beforehand.
- To set up DMARC on your custom domain, you need to make sure that your Office 365 account is connected to your domain and verified.
Step 1: Navigate to the DNS manager
Before you configure your DMARC records, please go to your domain registrar and navigate to your DNS manager.
DMARC policies are formatted as a TXT file. To create one, add a new TXT file to your DNS records with the following details.
- Fill in the host name as “_dmarc.yourdomain.com.” This will let you and the system identify this TXT file as a DMARC record.
- Set the TTL to one hour. Depending on your domain registrar, you may have to set it as 1 hour, 60 minutes, or 3600 seconds.
- The value field is where you’re going to write your DMARC record.
Step 2: Select the DMARC policy
Your DMARC policy outlines the treatment or actions you’d like for emails to take that fail authentication tests.
In your DMARC record, the policy is stored in the “p” tag and is a required entry. There are three types of policies you can choose from:
- None (p=none): The none policy asks the receiving server to treat the email messages as if there is no DMARC authentication policy in place, but you’ll still get DMARC reports.
- Quarantine (p=quarantine): The quarantine policy asks the receiving server to receive the email anyway, but separates it from others. This typically means that the email will land in a spam folder.
- Reject (p=reject): The reject policy asks the receiving server to reject the email from landing in any inbox or folder.
If you don’t have a DMARC record in place, you should start with the none policy. It lets you enter the monitoring phase to collect data about your email activity without affecting the deliverability of your emails. You can receive DMARC reports to check the configuration of your DKIM records and SPF records and see the sources of your outbound emails.
On the other hand, new-to-DMARC users shouldn’t set up quarantine and reject policies. If you don’t have someone who’s knowledgeable about DMARC and email security on your team, consider using a service like Valimail to set up your DMARC records.
Step 3: Add an email address to which reports can be sent
Aggregate reports only contain the overview of the email traffic, such as when the email is sent, the sender’s IP address, and the results from the authentication tests. Aggregate reports are sent daily in an XML file. Use the “rua” tag to specify where to send these reports.
You can also send reports to multiple email addresses by adding a comma between addresses, as shown in this example:
Besides aggregate reports, you might also encounter failure or forensic reports when learning about DMARC from other sources. However, these reports are no longer used, as it’s not as useful as aggregate reports and can be dangerous.
Step 4: Create the TXT record value
To create the TXT record, all you need to do is combine the previous components we’ve discussed in the “value” field.
In the end, here are the attributes you most likely will need to create to set up your first DMARC record:
v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org;
While only the “rua” tag is optional, it’s just as important when you’re setting up your first DMARC record. It lets you receive aggregate reports. These reports contain important data that you need to collect when you’re starting out. You should see your first DMARC report within 72 hours after creating this TXT file. However, if you create that text file, you may inadvertently impact deliverability of your emails without realizing it. To avoid this, start with the p=none policy (unless you’re already at enforcement).
Note: Your DMARC policy can only request the treatment. In the end, it’s up to the receiving server to decide what they’d like to do with emails that fail authentication tests.
For example, Microsoft’s Exchange Online Protection (EOP) filtering service marks inbound emails that fail DMARC tests as spoof or spam by default, even if the sending server has a “p=reject” tag. Microsoft 365 treats them this way because there are certain scenarios that make a DMARC check fail, even if they come from a legitimate source.
Protect Your Email Domains with Valimail’s DMARC Services
Although a DMARC record is necessary, maintaining one can be challenging. This is especially true for businesses that may not have a dedicated IT team to protect their domains. Further, maintaining a DMARC record requires you to set up and enable DKIM and SPF, adding even more to what you need to do to secure your domain from malicious cyber attacks.
Valimail helps businesses set up and automatically update SPF, DKIM, and DMARC records for their Office 365 accounts. Valimail is a trusted Microsoft partner, recommended for ensuring email security across their cloud email products. Thanks to our user-friendly authorization tools, DMARC implementation and DNS configuration require little to no technical expertise. This means you can set your authorization once and keep your domain secure forever.