Microsoft Defender for Office 365 – Configure DMARC email authentication for Microsoft 365 Custom Domains

Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds upon SPF and DKIM to give domain owners greater control over how recipient servers handle their email messages. With DMARC, domain owners can specify policies instructing recipient servers on how to handle emails that fail SPF or DKIM checks. DMARC also enables domain owners to receive reports on email authentication results, allowing them to monitor and improve their email security posture.

We recommend a gradual approach to configure DMARC for your Microsoft 365 domains. The goal is to achieve a p=reject DMARC policy for all your custom domains and subdomains. Still, you must test and validate to avoid destination email systems rejecting legitimate mail due to unintended DMARC failures.

You can also use the pct= value to gradually affect more messages and verify the results.

Configure and verify DMARC settings

Start with a DMARC policy of p=none and monitor the results for the domain

1.Esure you configured the SPF settings without issues.

2.Ensure you configured DKIM setting without issues.

3.Create a DMARC TXT record for the Custom domain (e.g. gooddealmart.ca)

Hostname: _dmarc

TXT value: v=DMARC1; p=none; pct=100; rua=mailto:rua@gooddealmart.ca; ruf=mailto:ruf@gooddealmart.ca

Note:

The DMARC Aggregate (rua) and DMARC Forensic (ruf) reports provide the amount and source of messages that pass or fail DMARC checks. You may check how much of your genuine email traffic is or is not protected by DMARC and troubleshoot any issues. You can also monitor how many bogus messages are sent and where they come from.

4.Change the DMARC TXT settings and monitor the result.

Hostname: _dmarc

TXT value: v=DMARC1; p=quarantine; pct=100; rua=mailto:rua@gooddealmart.ca; ruf=mailto:ruf@gooddealmart.ca

Note:

You can also use the pct= parameter to gradually effect additional messages and test the outcomes.

4.Change the DMARC TXT settings and monitor the result.

Hostname: _dmarc

TXT value: v=DMARC1; p=reject; pct=100; rua=mailto:rua@gooddealmart.ca; ruf=mailto:ruf@gooddealmart.ca

You also can use DMARC generator to generate the TXT value.

Verify DMARC

1.Open https://mxtoolbox.com/.

2.On the MX Lookup page, select type your domain name and click MX Lookup.

The warning message because the DMARC txt record p=none.

You can change the p=quarantine of the DMARC TXT record and test it again.

I hope you enjoy this post.

Cary Sun

X: @SifuSun

Web Site: carysun.com

Blog Site: checkyourlogs.net

Blog Site: gooddealmart.com

Amazon Author: Amazon.com/author/carysun

About Post Author

Cary Sun

Cary Sun has a wealth of knowledge and expertise in data center and deployment solutions. As a Principal Consultant, he likely works closely with clients to help them design, implement, and manage their data center infrastructure and deployment strategies.
With his background in data center solutions, Cary Sun may have experience in server and storage virtualization, network design and optimization, backup and disaster recovery planning, and security and compliance management. He holds CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1999. Cary is also a Microsoft Most Valuable Professional (MVP), Microsoft Azure MVP, Veeam Vanguard and Cisco Champion. He is a published author with several titles, including blogs on Checkyourlogs.net, and the author of many books.
Cary is a very active blogger at checkyourlogs.net and is permanently available online for questions from the community. His passion for technology is contagious, improving everyone around him at what they do.

Blog site: https://www.checkyourlogs.net
Web site: https://carysun.com
Blog site: https://gooddealmart.com
Twitter: @SifuSun
in: https://www.linkedin.com/in/sifusun/
Amazon Author: https://Amazon.com/author/carysun

See author's posts