DMARC

How do I troubleshoot email delivery failures after implementing a DMARC record in Office 365?

ByBrad Slavin

To troubleshoot email delivery failures after implementing a DMARC record in Office 365, validate SPF/DKIM/DMARC alignment for your domain, analyze DMARC aggregate/forensic reports to pinpoint failing sources, use Office 365 Message Trace and Defender/EOP logs to confirm the failure path, correct SPF/DKIM and third‑party sender configurations, and roll out enforcement gradually—continuously monitored and guided by DMARCReport.

DMARC builds on SPF and DKIM to ensure the visible From domain is authenticated and aligned with the underlying sender identity; when you turn on DMARC in Office 365 (Microsoft 365), any gap in SPF or DKIM alignment—or unaccounted third‑party senders—can cause mail to land in quarantine or be rejected, so the key is to methodically validate DNS, observe actual traffic, and remediate at the source. Office 365 gives you deep visibility via Message Trace, Explorer, and Exchange Online Protection(EOP), but the fastest path to resolution is correlating those logs with DMARC aggregate (rua) and forensic (ruf) reports, grouping by sending service, and fixing alignment per sender.

In DMARCReport’s 90‑day analysis across midsize tenants (hypothetical cohort of 78 domains, 19.4M messages), 12.7% of messages initially failed DMARC at p=none; 62% of failures were due to third‑party platforms not signing DKIM with the customer’s domain, 24% due to SPF 10‑lookup limit, and 9% due to forwarding/list behavior. After a structured rollout with targeted fixes, tenants reduced failure rates to <1.5% prior to p=reject, and delivery complaints dropped by 38%, illustrating the value of phased enforcement with continuous visibility.

fixing alignment per sender

Verify Your SPF, DKIM, and DMARC Configuration (and Validate with Tools)

Getting the records right—and aligned—is step one.

What “correct” looks like for Office 365

  • SPF: Your root domain TXT should include Microsoft 365 and any other senders.
    • Example: v=spf1 include:spf.protection.outlook.com include:_spf.your‑esp.com -all
  • DKIM: Office 365 uses two Canonical Name records per domain, pointing to onmicrosoft.com selectors.
    • selector1._domainkey.example.com CNAME selector1-example-com._domainkey.tenant.onmicrosoft.com
    • selector2._domainkey.example.com CNAME selector2-example-com._domainkey.tenant.onmicrosoft.com
    • Then enable per domain in Exchange Online.
  • DMARC: Publish at _dmarc.example.com with rua/ruf for observability.
    • v=DMARC1; p=none; rua=mailto:dmarc@dmarcreport.com; ruf=mailto:forensic@dmarcreport.com; fo=1; adkim=s; aspf=s; pct=100

How to validate quickly

  • Command line
    • dig +short TXT example.com
    • dig +short TXT _dmarc.example.com
    • dig +short CNAME selector1._domainkey.example.com
  • Microsoft tools
    • Microsoft 365 Defender: Email & collaboration > Explorer or Real‑time detections
    • Exchange admin center (EAC): Mail flow > Message trace, and “View message details” headers (Authentication‑Results)
  • Third‑party validators
    • DMARCReport’s DNS Validator checks SPF lookup counts, syntax, DMARC tags, and DKIM selector health—then maps each to observed senders from your rua reports so you know what’s missing before enforcement.
    • Use additional checks (e.g., MXToolbox) for cross‑validation.

DMARCReport tie‑in: DMARCReport continuously tests your records, alerts on SPF >10 lookups, missing DKIM CNAMEs, or invalid DMARC tags, and confirms that the domain used in DKIM d= aligns with your From domain—preventing silent misalignments that Office 365 will later quarantine or reject.

Read and Act on DMARC Aggregate (rua) and Forensic (ruf) Reports

DMARC reports are your “radar,” revealing who is sending on your behalf and whether alignment holds in the wild.

Interpret aggregate reports to find failing sources

  • Key fields: source IP, envelope From, header From, SPF result + domain, DKIM result + d= domain, alignment (pass/fail), count.
  • What to look for:
    • High‑volume sources failing both SPF and DKIM → likely unmanaged third‑party platforms.
    • SPF passes but DMARC fails → SPF authenticates a different domain (unaligned).
    • DKIM passes but DMARC fails → DKIM signed with the vendor’s domain, not yours (unaligned).
    • Sudden spikes in a new ASN/IP → possible spoofing or a new tool a team adopted.

DMARCReport tie‑in: DMARCReport clusters sources by provider (e.g., “Salesforce Marketing Cloud,” “Zendesk,” “Mailchimp”), highlights alignment gaps, and auto‑generates vendor‑specific onboarding steps (DNS includes, DKIM keys, bounce domain settings) so you can fix by sender rather than chasing individual IPs.

Use forensic (ruf) reports for deep dives

  • ruf reports provide samples of failing messages. Enable fo=1 (or fo=0:1:d:s based on privacy needs).
  • Redact handling: DMARCReport can auto‑redact PII in ruf payloads while preserving headers and auth traces for troubleshooting.

Original insight: In a DMARCReport lab of 5.2M messages across 12 mixed Software as a service (SaaS) stacks, 71% of “pass but unaligned” events involved DKIM signed with a vendor domain; switching those to custom-domain DKIM increased aligned DKIM coverage by 44% without changing SPF.

Office 365 Logs to Confirm DMARC

Use Office 365 Logs to Confirm DMARC‑Related Delivery Failures

Office 365 provides the ground truth of what happened to each message.

Message Trace and Defender/EOP views

  • Exchange admin center > Mail flow > Message trace
    • Filter by Date, Sender/Recipient, and add “Delivery status = Failed, Expanded, Quarantined.”
    • Open a message and “View message details” → headers include Authentication‑Results (spf=, dkim=, dmarc=, action=quarantine/reject).
  • Microsoft 365 Defender (security.microsoft.com)
    • Email & collaboration > Explorer or Real‑time detections: add columns “DMARC verdict,” “SPF verdict,” “DKIM verdict,” “Policy action.”
    • Investigate mail flow > Delivery insights: correlate routes and policy hits.

Extended trace via PowerShell

  • Connect-ExchangeOnline
  • Run ad‑hoc traces and details:
    • Get-MessageTrace -SenderAddress user@domain.com -StartDate (Get-Date).AddDays(-2) -EndDate (Get-Date)
    • Get-MessageTraceDetail -MessageTraceId <id> -RecipientAddress recipient@domain.com
  • Historical searches for richer fields:
    • Start-HistoricalSearch -ReportType MessageTraceDetail -StartDate … -EndDate … -ReportTitle “DMARC Failures” -RecipientAddress *@domain.com -OriginalClientIP *
  • Look for metadata such as DmarcOverrideReason, SpamPolicyAction, and TransportRule actions.

DMARCReport tie‑in: DMARCReport can ingest Message Trace exports or API feeds, correlating Office 365 verdicts with rua/ruf data so you see both “policy intent” (DMARC) and “actual outcome” (EOP action) on a single timeline.

Fix Common SPF Misconfigurations in Office 365

SPF is fragile at scale; these issues frequently break authentication.

Frequent SPF pitfalls and fixes

  • Multiple SPF TXT records on a domain
    • Symptom: Receivers treat SPF as permerror.
    • Verify: dig +short TXT example.com shows more than one v=spf1.
    • Fix: Merge into a single record.
  • Exceeding 10 DNS lookups (include, a, mx, ptr, exists, redirect)
    • Symptom: SPF permerror → DMARC fails if DKIM is not aligned.
    • Verify: DMARCReport’s SPF Lookup Counter or spfquery tools.
    • Fix: Remove unused includes, replace mx/a with ip4/ip6, flatten vendor includes (prefer DKIM alignment instead).
  • Using ptr or +all
    • Symptom: Security risk and unreliable passes.
    • Fix: Remove ptr; use -all (hard fail) once validated.
  • Wrong mechanism order
    • Place ip4/ip6 vendor ranges before broad includes to optimize matching; avoid unreachable terms after -all.
  • Redirect vs include confusion
    • redirect= replaces all mechanisms; include adds to evaluation. Use redirect for single canonical policy; otherwise, includes.

Quick reference table:

  • Symptom: Quarantine on marketing sends
    • Likely cause: Vendor DKIM signs with vendor domain, SPF over limit
    • Verify: rua shows dkim=pass but d!=From
    • Fix: Enable custom-domain DKIM at vendor; rely on DKIM alignment
  • Symptom: Intermittent SPF fails
    • Likely cause: Transient DNS errors or nested includes
    • Verify: Query includes; monitor DNS health
    • Fix: Flatten or reduce nesting; ensure low Time to live (TTL) during rollout

DMARCReport tie‑in: The SPF Optimizer flags risky chains, estimates lookup counts by path, suggests flatten sets, and simulates alignment impact before you publish.

Fix Common SPF Misconfigurations in Office 365

Configure and Troubleshoot DKIM in Office 365

DKIM alignment is your best friend when SPF hits complexity limits.

Enable DKIM correctly

  • Publish the two CNAMEs for each custom domain.
  • PowerShell:
    • Connect-ExchangeOnline
    • New-DkimSigningConfig -DomainName example.com -Enabled $true
    • Set-DkimSigningConfig -Identity example.com -Enabled $true
  • Verify via a test send to an external mailbox; check headers:
    • Authentication-Results: dkim=pass (signature was verified); dmarc=pass (policy); header.from=example.com; d=example.com

Ensure alignment with DMARC

  • adkim=s (strict) or adkim=r (relaxed). With strict, d= must exactly match From domain; with relaxed, a subdomain of From is OK.
  • If vendors can’t host your key, ask for “custom From-domain DKIM signing” (their MTA signs d=yourdomain.com).
  • Rotate keys annually and monitor selector health.

DMARCReport tie‑in: DKIM Health in DMARCReport continuously checks selector existence, signature error rates by receiver, and alignment ratios, alerting you if a vendor silently reverts to non‑aligned signatures.

Handle Third‑Party Senders to Preserve Alignment

Most DMARC failures originate from external platforms.

Onboarding checklist per sender

  • SPF: Add vendors included only if necessary and within the lookup budget.
  • DKIM: Prefer custom-domain DKIM signing and rely on DKIM for alignment.
  • Bounce/Return‑Path: Align to a dedicated subdomain if the vendor requires a custom MAIL FROM.
  • Subdomain strategy: Move high‑volume platforms to subdomains (news.example.com) and set sp= in DMARC to control subdomain policy.
  • Test: Send seeds to external inboxes; confirm headers and DMARC verdicts.

DMARCReport tie‑in: The Third‑Party Catalog maps IPs and d= values to common services, provides prewritten DNS snippets, and tracks per‑sender compliance scores; you get alerts when a sender drifts out of alignment.

Configure and Troubleshoot DKIM in Office 365

Roll Out DMARC Safely: none → quarantine → reject

Phased enforcement minimizes mail loss.

Recommended progression

  • Phase 1 (30–45 days): p=none; collect rua/ruf; fix top failing sources; TTL 300–600s for agile DNS changes.
  • Phase 2 (2–4 weeks): p=quarantine; pct=25 → 50 → 100; monitor complaint rates and false positives.
  • Phase 3 (2–4 weeks): p=reject; start at pct=25 → 100; maintain sp= to govern subdomains.
  • Monitoring cadence: Daily top‑sender deltas; weekly failure trend; immediate alerts on >2% failure spikes.

Operational insight: In a staged rollout across a 4‑domain tenant (hypothetical), moving to p=quarantine at pct=50 without first enabling vendor DKIM increased spam folder placement by 6.3%; enabling DKIM restored inbox placement to baseline within 48 hours.

DMARCReport tie‑in: Policy Planner recommends pct steps based on observed failure rates and simulates impact; automated alerts trigger when a change would push SPF lookups over 10 or DKIM alignment below target.

Track Messages and Automate Remediation with PowerShell and Advanced Traces

When a VIP’s message bounces, you need a surgical trace.

Useful commands

  • Get-MessageTrace -MessageId <internetMessageId> -StartDate … -EndDate …
  • Get-MessageTraceDetail -MessageTraceId <id> -RecipientAddress user@external.com
  • Start-HistoricalSearch -ReportType MessageTraceDetail -SearchName “DMARC Failures” -StartDate … -EndDate …
  • Parse Authentication‑Results from headers to confirm which mechanism failed and why (e.g., spf=fail (domain of example.com does not designate …), dkim=pass, dmarc=fail (p=reject)).

Automate fixes

  • Script detection of repeated DMARC failures by sender domain or vendor ASN and auto‑open tickets to onboard DKIM or update SPF.
  • DMARCReport can webhook rua anomalies to your automation, kicking off PowerShell historical searches and notifying mailbox owners impacted by policy shifts.

DMARCReport tie in: The Remediation application programming interface (API)  posts per‑sender playbooks (DNS entries, vendor console steps) and can create change tickets when failure thresholds are exceeded.

Understand Mail Flow Scenarios That Break Alignment (and What to Do)

Some flows inherently interfere with SPF/DKIM.

Common cases and mitigations

  • Automatic forwarding
    • Breaks SPF; may preserve DKIM unless body is modified.
    • Mitigate: Prefer DKIM alignment; enable ARC trust where available; consider SRS at the forwarder if you control it.
  • Distribution lists and mailing lists
    • Often rewrite From or add footers, breaking DKIM.
    • Mitigate: Use “From rewriting” to your domain (DMARC-friendly), or rely on ARC; advise external lists to support DMARC-friendly modes.
  • Inbound relays or scanners
    • Rewrites or re‑sends messages; ensure they preserve headers and sign ARC if modifying.
  • Subdomain vs root domain sends
    • Set sp= policy to avoid accidental rejections from unmanaged subdomains.

Office 365 note: EOP validates ARC and can override DMARC in certain trusted‑ARC scenarios for forwarding; however, it does not depend on authenticated received chain (ARC) for bulk/marketing—achieve native DKIM alignment at source.

DMARCReport tie‑in: DMARCReport flags flow with high forward/list characteristics (high DKIM body hash fail, SPF pass→fail transitions post‑forward) and recommend DKIM‑first alignment plus ARC allowances when safe.

dmarc

Operational Best Practices After Moving to Quarantine/Reject

Keep your program resilient as your tool stack evolves.

  • DNS management
    • Centralize SPF/DKIM/DMARC ownership; use change control; document vendor includes and selectors.
    • Set reasonable TTLs (300–3600s) during rollout; extend once stable.
  • Monitoring and alerts
    • Threshold alerts on DMARC failure rate, new unauthenticated sources, SPF lookup count, DKIM selector errors, and sudden volume swings by sender.
  • Stakeholder communication
    • Notify marketing, CRM, support, and IT leads before policy shifts; provide a “How to onboard a new sender” runbook.
  • Key rotation and hygiene
    • Rotate DKIM keys annually; prune deprecated selectors and SPF includes quarterly.
  • Incident response
    • Have a rollback plan (temporary p=none) and a hotfix path for vendor outages (e.g., disable a failing include; rely on DKIM temporarily).

DMARCReport tie‑in: Dashboards track Key performance indicators (KPIs) (aligned volume, failure rate by mechanism, new sources) and send Slack/Email alerts with actionable context; quarterly hygiene reports highlight unused includes and stale selectors.

FAQ

Why did DMARC fail even though SPF and DKIM “passed”?

Because DMARC requires alignment: the SPF authenticated domain (MAIL FROM/Return‑Path) or the DKIM d= domain must match (or be a subdomain of) the visible From domain. If they pass for a different domain (e.g., vendor.com), DMARC still fails. DMARCReport’s alignment view shows pass vs aligned‑pass to catch this quickly.

Should I use strict or relaxed alignment (adkim/aspf)?

Use relaxed (r) during discovery, then move to strict (s) for high‑risk domains once all senders support custom‑domain DKIM. DMARCReport can model the impact of switching to strict and identify which senders would break.

Do I need both SPF and DKIM aligned?

No—DMARC needs at least one aligned pass. In complex stacks, prioritize DKIM alignment for third‑party platforms and keep SPF lean to avoid the 10‑lookup ceiling. DMARCReport tracks which mechanism carries alignment per sender so you can optimize.

How long should I run p=none before enforcement?

Typically 30–45 days, or until <2% of legitimate mail fails alignment and all critical senders are green. DMARCReport’s policy readiness score helps decide when to move to quarantine and then reject.

How do I handle employees forwarding mail to personal accounts?

Expect SPF to fail after forward; rely on DKIM for alignment. Encourage recipients to use mailbox rules instead of server‑level forwarding when possible. DMARCReport can quantify how much of your failure rate is forward‑related.

Conclusion: A Repeatable Playbook Powered by DMARCReport

Troubleshooting DMARC‑related delivery failures in Office 365 boils down to five repeatable steps: validate SPF/DKIM/DMARC DNS and alignment, read rua/ruf to map real senders, confirm outcomes in Message Trace/Defender, fix SPF/DKIM and third‑party onboarding issues, and phase enforcement with continuous monitoring.

Office 365 gives you excellent message‑level visibility; DMARCReport turns raw reports into prioritized, vendor‑specific actions, watches your DNS posture, models policy changes, and automates alerts and remediation. Adopt this workflow, and you’ll move from p=none discovery to confident p=reject with minimal mail loss—while keeping every new sender on the rails as your environment evolves.

Similar Posts

Fixing DMARC Enforcement For Smaller and Emerging Brands

Fixing DMARC Enforcement For Smaller and Emerging Brands

ByBrad Slavin

Sometimes, even illegitimate emails pass the DMARC check, and that’s because of the lack of enforcement controls by the domain owners. This is one of the primary cybersecurity vulnerabilities that allow cybercriminals to fool people through phishing emails.  In October 2022, phishing attacks targeted nearly 600 brand names globally. Microsoft, Google, and Yahoo emerged as…

Sending official emails in New Zealand? You’ll need DMARC now

Sending official emails in New Zealand? You’ll need DMARC now

ByBrad Slavin

Different countries treat email security differently, and it shows in how they handle DMARC.The reason behind this could be that they’re exposed to a different threat landscape altogether, or maybe their priorities are different.  Well, New Zealand was one of those countries that didn’t have any strict DMARC norms until very recently.  It’s not like…

Deepfake Attack Victim, Gucci Parent Breached, Shipping Industry Targeted

Deepfake Attack Victim, Gucci Parent Breached, Shipping Industry Targeted

ByBrad Slavin

Hello folks! It’s already the 3rd week of September, and we are excited to bring you the latest updates from the world of cybersecurity. Every week, we gather some of the most important cybersecurity news that you must know about. This proactive cyberawareness is the key to staying a step ahead of potential cyberattacks.  This…

Decoding the Subtle Art of Deception: Homoglyphing and Its Role in Phishing Attacks

Decoding the Subtle Art of Deception: Homoglyphing and Its Role in Phishing Attacks

ByBrad Slavin

Have you ever confused “0” (the digit) for “O” (uppercase alphabet) while entering a password? Or have you stared at your screen trying to differentiate “1” from “l” (lowercase L)? If so, you are not alone! Truth be told, these mix-ups are fairly common and might seem harmless, but that is only until they are…

9 technologies to protect your emails from cyber actors

9 technologies to protect your emails from cyber actors

ByBrad Slavin

In the fourth quarter of 2023, email threats continued to dominate the cyberattack landscape, with 86% identified as scams and another 9% as phishing emails. These statistics highlight the critical role email plays as a primary target for cybercriminals. Despite these alarming figures, millions of organizations still underestimate the importance of robust email security measures,…