Last updated: July 2026
In short: After this guide your domain publishes a DMARC record for Microsoft 365 — safely staggered from observation to enforcement, including the Microsoft-specific consequences.
Prerequisites
- A Microsoft 365 tenant with a custom domain
- Access to your domain’s DNS management (at the domain host)
- SPF and DKIM must be in place
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) combines SPF and DKIM into an enforceable policy. The _dmarc TXT record defines what a recipient should do with unauthenticated mail — and where it sends reports.
The starting point at Microsoft 365
Two Microsoft peculiarities matter:
The record is created at the domain host, not in Microsoft 365 — for your custom domain. The exception: for the *.onmicrosoft.com domain you create the DMARC TXT in the Microsoft 365 admin center.
The high-risk outbound pool. If you set p=quarantine or p=reject, Microsoft routes outbound mail that fails DMARC at the destination through a “high-risk delivery pool” — and without exception: “There’s no override for this behavior.” In practice this means: you really must have captured all cleanly authenticated senders before you tighten, otherwise your outbound reputation suffers.
Step-by-step guide
1. Start with p=none
At the domain host, create a TXT record — host _dmarc, value:
v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de
p=none, according to Microsoft, is explicitly “for testing and tuning the DMARC policy”. You best analyze the rua reports (daily, XML) with a DMARC monitor like MARCo.
2. Read reports and clean up sources
The aggregate report shows you all IP addresses that send via your domain, and whether they pass DMARC. Get all legitimate sources to pass SPF/DKIM. Tip from Microsoft: put external bulk senders on a subdomain (marketing.example.com), so their problems don’t hit your main domain’s reputation.
3. Stagger up to reject
First use pct, then enforce fully:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@beispiel.de
Microsoft’s own complete example record with forensic reports reads v=DMARC1; p=reject; pct=100; rua=mailto:rua@contoso.com; ruf=mailto:ruf@contoso.com.
4. Wait until the change is live
DNS changes take time — a few hours up to a day depending on the provider and TTL.
Verify the result
Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.
Common mistakes
Too early to reject — and then the high-risk pool. With Microsoft 365, premature reject has an extra downside: failed outbound mail runs through the high-risk pool. Clean up all sources first.
Forgot .onmicrosoft.com. Its DMARC record is set in the admin center, not at the domain host.
Bulk sending via the main domain. Move newsletter services to a subdomain.
DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.
Further reading
- Microsoft Learn: Set up DMARC to validate email (retrieved: July 10, 2026)
- RFC 7489 — DMARC
