Last updated: July 2026

In short: After this guide your domain publishes a DMARC record for Microsoft 365 — safely staggered from observation to enforcement, including the Microsoft-specific consequences.

Prerequisites

  • A Microsoft 365 tenant with a custom domain
  • Access to your domain’s DNS management (at the domain host)
  • SPF and DKIM must be in place

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) combines SPF and DKIM into an enforceable policy. The _dmarc TXT record defines what a recipient should do with unauthenticated mail — and where it sends reports.

The starting point at Microsoft 365

Two Microsoft peculiarities matter:

The record is created at the domain host, not in Microsoft 365 — for your custom domain. The exception: for the *.onmicrosoft.com domain you create the DMARC TXT in the Microsoft 365 admin center.

The high-risk outbound pool. If you set p=quarantine or p=reject, Microsoft routes outbound mail that fails DMARC at the destination through a “high-risk delivery pool” — and without exception: “There’s no override for this behavior.” In practice this means: you really must have captured all cleanly authenticated senders before you tighten, otherwise your outbound reputation suffers.

Step-by-step guide

1. Start with p=none

At the domain host, create a TXT record — host _dmarc, value:

v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de

p=none, according to Microsoft, is explicitly “for testing and tuning the DMARC policy”. You best analyze the rua reports (daily, XML) with a DMARC monitor like MARCo.

2. Read reports and clean up sources

The aggregate report shows you all IP addresses that send via your domain, and whether they pass DMARC. Get all legitimate sources to pass SPF/DKIM. Tip from Microsoft: put external bulk senders on a subdomain (marketing.example.com), so their problems don’t hit your main domain’s reputation.

3. Stagger up to reject

First use pct, then enforce fully:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@beispiel.de

Microsoft’s own complete example record with forensic reports reads v=DMARC1; p=reject; pct=100; rua=mailto:rua@contoso.com; ruf=mailto:ruf@contoso.com.

4. Wait until the change is live

DNS changes take time — a few hours up to a day depending on the provider and TTL.

Verify the result

Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.

Common mistakes

Too early to reject — and then the high-risk pool. With Microsoft 365, premature reject has an extra downside: failed outbound mail runs through the high-risk pool. Clean up all sources first.

Forgot .onmicrosoft.com. Its DMARC record is set in the admin center, not at the domain host.

Bulk sending via the main domain. Move newsletter services to a subdomain.

DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.

Further reading