Microsoft Defender for Office 365 – Configure DMARC email authentication for Microsoft 365 Custom Domains

Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds upon SPF and DKIM to give domain owners greater control over how recipient servers handle their email messages. With DMARC, domain owners can specify policies instructing recipient servers on how to handle emails that fail SPF or DKIM checks. DMARC also enables domain owners to receive reports on email authentication results, allowing them to monitor and improve their email security posture.

We recommend a gradual approach to configure DMARC for your Microsoft 365 domains. The goal is to achieve a p=reject DMARC policy for all your custom domains and subdomains. Still, you must test and validate to avoid destination email systems rejecting legitimate mail due to unintended DMARC failures.

You can also use the pct= value to gradually affect more messages and verify the results.

Configure and verify DMARC settings

Start with a DMARC policy of p=none and monitor the results for the domain

1.Esure you configured the SPF settings without issues.

2.Ensure you configured DKIM setting without issues.

3.Create a DMARC TXT record for the Custom domain (e.g.

Hostname: _dmarc

TXT value: v=DMARC1; p=none; pct=100;;


The DMARC Aggregate (rua) and DMARC Forensic (ruf) reports provide the amount and source of messages that pass or fail DMARC checks. You may check how much of your genuine email traffic is or is not protected by DMARC and troubleshoot any issues. You can also monitor how many bogus messages are sent and where they come from.

4.Change the DMARC TXT settings and monitor the result.

Hostname: _dmarc

TXT value: v=DMARC1; p=quarantine; pct=100;;


You can also use the pct= parameter to gradually effect additional messages and test the outcomes.

4.Change the DMARC TXT settings and monitor the result.

Hostname: _dmarc

TXT value: v=DMARC1; p=reject; pct=100;;

You also can use DMARC generator to generate the TXT value.

Verify DMARC


2.On the MX Lookup page, select type your domain name and click MX Lookup.

The warning message because the DMARC txt record p=none.

You can change the p=quarantine of the DMARC TXT record and test it again.

I hope you enjoy this post.

Cary Sun

X: @SifuSun

Web Site:

Blog Site:

Blog Site:

Amazon Author:

About Post Author

Leave a Reply