Are you looking to create a DMARC record in Office 365? We’ve got you covered. Below, we’ll show you the 4-step process for setting up DMARC in Office 365 and protecting your email-sending domains.
New to DMARC? Let’s start there first.
What is DMARC?
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a technique to help receivers verify the authenticity of emails sent from your domain. Domain administrators use DMARC records to publish the email authentication policy used to protect against cyberattacks such as email spoofing and phishing.
DMARC records are published on your DNS as a plain text file, most likely named “_dmarc.yourdomain.com,” where “yourdomain.com” is your actual domain name.
You use DMARC records to instruct receiving servers on what to do with emails that have failed authentication tests. For example, you might request that emails that have failed the authentication test be quarantined into a spam folder, or you might want them to be deleted entirely.
A DMARC record contains the DMARC policy that informs ISPs (like Gmail, Yahoo!, and Microsoft’s Office 365) if a domain is set up to use DMARC. In this article, we’ll cover how to set up DMARC records in Office 365 to protect your emails and deliverability rates.
How to set up DMARC in Office 365
This question is a common one that we hear. We can split the topic up into inbound and outbound mail.
- Inbound mail: For inbound mail, DMARC is automatically set up by Office 365, regardless of whether it is hosted on a custom domain or not.
- Outbound mail: For those not using a custom domain (e.g., their email is hosted at a domain like onmicrosoft.com), their DMARC records are handled automatically. However, some work is required for those with their own custom domain or use an on-premise exchange server. These customers must configure their DMARC settings for their domain themselves to enable DMARC for outbound mail sending.
DMARC record setup Office 365
A few notes before you begin. Enforcing DMARC means setting up Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) beforehand. You’ll also need to ensure that your Office 365 account is connected to your domain and verified.
Step 1: Navigate to the DNS manager
Before configuring your DMARC records, please go to your domain registrar and navigate to your DNS manager.
DMARC policies are formatted as a TXT file. Add a new TXT file to your DNS records with the following details to create one.
- Fill in the hostname as “_dmarc.yourdomain.com.” This will let you and the system identify this TXT file as a DMARC record.
- Set the TTL to one hour. Depending on your domain registrar, you may have to set it as 1 hour, 60 minutes, or 3,600 seconds.
- The value field is where you’re going to write your DMARC record.
Step 2: Select the DMARC policy
Your DMARC policy outlines the treatment or actions you’d like for emails to take that fail authentication tests.
In your DMARC record, the policy is stored in the “p” tag and is a required entry. There are three types of policies you can choose from:
- None (p=none): The none policy asks the receiving server to treat the email messages as if there is no DMARC authentication policy, but you’ll still get DMARC reports.
- Quarantine (p=quarantine): The quarantine policy asks the receiving server to receive the email anyway but separates it from others. This typically means that the email will land in a spam folder.
- Reject (p=reject): The reject policy asks the receiving server to reject the email from landing in any inbox or folder.
If you don’t have a DMARC record in place, you should start with the p=none policy. It lets you enter the monitoring phase to collect data about your email activity without affecting the deliverability of your emails. You can receive DMARC reports to check the configuration of your DKIM records and SPF records and see the sources of your outbound emails.
Note: On the other hand, new-to-DMARC users shouldn’t set up quarantine and reject policies. If you don’t have someone who’s knowledgeable about DMARC and email security on your team, consider using a service like Valimail to set up your DMARC records.
Step 3: Add an email address to which reports can be sent
Aggregate reports only contain the overview of the email traffic, such as when the email is sent, the sender’s IP address, and the results from the authentication tests. Aggregate reports are sent daily in an XML file. Use the “rua” tag to specify where to send these reports.
You can also send reports to multiple email addresses by adding a comma between addresses, as shown in this example:
Besides aggregate reports, you might also encounter failure or forensic reports when learning about DMARC from other sources. However, these reports are no longer used, as it’s not as useful as aggregate reports and can be dangerous.
Step 4: Create the TXT record value
To create the TXT record, all you need to do is combine the previous components we’ve discussed in the “value” field.
In the end, here are the attributes you most likely will need to create to set up your first DMARC record:
v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org;
While only the “rua” tag is optional, it’s just as important when you’re setting up your first DMARC record. It lets you receive aggregate reports. These reports contain important data you need to collect when starting out.
You should see your first DMARC report within 72 hours of creating this text file. However, if you create that text file, you may inadvertently impact the deliverability of your emails without realizing it. To avoid this, start with the p=none policy (unless you’re already at enforcement).
Note: Your DMARC policy can only request the treatment. However, it’s up to the receiving server to decide what they’d like to do with emails that fail authentication tests.
For example, Microsoft’s Exchange Online Protection (EOP) filtering service marks inbound emails that fail DMARC tests as spoof or spam by default, even if the sending server has a “p=reject” tag. Office 365 treats them this way because certain scenarios make a DMARC check fail, even if they come from a legitimate source.
Protect Your Email Domains with Valimail’s DMARC Services
Now you know how to create DMARC records in Office 365. Although a DMARC record is necessary, maintaining one can be challenging. This is especially true for businesses that may not have a dedicated IT team to protect their domains. Further, maintaining a DMARC record requires you to set up and enable DKIM and SPF, adding even more to what you need to do to secure your domain from malicious cyber attacks.
Valimail helps businesses set up and automatically update SPF, DKIM, and DMARC records for their Office 365 accounts. Valimail is a trusted Microsoft partner, recommended for ensuring email security across their cloud email products. DMARC implementation and DNS configuration require little to no technical expertise, thanks to our user-friendly authorization tools. This means you can set your authorization once and keep your domain secure forever.