Configuring DMARC for validating the FROM: address domain for senders in Microsoft 365

The most common mistake we see during DMARC setup is jumping straight to p=reject without monitoring first, says Vasile Diaconu, Operations Lead at DuoCircle. Start at p=none, analyze your reports for at least a full quarter — you need to catch monthly, quarterly, and annual email senders that only fire periodically. Then fix any legitimate senders that fail before enforcing. We walk every customer through this sequence.

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report

Configuring DMARC for validating the FROM: address domain for senders in Microsoft 365

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-13974">
						<source src="/images/wp/2024/06/Configuring-DMARC-for-validating-the-FROM-address-domain-for-senders-in-Microsoft-365.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M10S">2:10</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-13974" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-13974" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-13974" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-13974" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/configuring-dmarc-for-validating-the-from-address-domain-for-senders-in-microsoft-365/&t=Configuring DMARC for validating the FROM: address domain for senders in Microsoft 365" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/configuring-dmarc-for-validating-the-from-address-domain-for-senders-in-microsoft-365/&url=Configuring DMARC for validating the FROM: address domain for senders in Microsoft 365" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="/images/wp/2024/06/Configuring-DMARC-for-validating-the-FROM-address-domain-for-senders-in-Microsoft-365.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/configuring-dmarc-for-validating-the-from-address-domain-for-senders-in-microsoft-365/" class="input-link input-link-13974" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-13974" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="Y4EdAspXiD"><a href="https://dmarcreport.com/blog/podcast/configuring-dmarc-for-validating-the-from-address-domain-for-senders-in-microsoft-365/">Configuring DMARC for validating the FROM: address domain for senders in Microsoft 365</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/configuring-dmarc-for-validating-the-from-address-domain-for-senders-in-microsoft-365/embed/#?secret=Y4EdAspXiD" width="500" height="350" title=""Configuring DMARC for validating the FROM: address domain for senders in Microsoft 365" — DMARC Report" data-secret="Y4EdAspXiD" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-13974” readonly/>

					<button class="copy-embed copy-embed-13974" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

DMARC validates emails sent from your Microsoft 365 domain to prevent spoofed senders from attempting business email compromise (BEC) attacks, ransomware, and other phishing instances. For the DMARC validation process, the domains in the MAIL FROM and FROM addresses are verified for alignment.

DMARC in Microsoft 365 for different domain types

As of 2025, DMARC is mandatory under multiple compliance frameworks. CISA BOD 18-01 requires p=reject for US federal domains. PCI DSS v4.0 mandates DMARC for organizations processing payment card data as of March 2025. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and Microsoft began rejecting non-compliant email in May 2025. The UK NCSC, Australia’s ASD, and Canada’s CCCS all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.

For MOERA domain users

SPF and DKIM are already configured for Microsoft Online Email Routing Address or MOERA domain (for example, testing.onmicrosoft.com), but you have to generate and publish a DMARC record for it in the Microsoft 365 admin center.

For custom domain users

You need to set up SPF and DKIM for all the **domains and subdomains you own, including the parked ones. Once done, you need to configure DMARC for them, as described later in this article.

Here are a few considerations you need to bear in mind-

Subdomains

For email services you don’t control directly, it’s better to use a subdomain so that you don’t have to deal with related issues. This will also protect your brand reputation. Unlike SPF and DKIM, a DMARC TXT record **automatically covers all subdomains that don’t have their own DMARC records. You can create a specific DMARC record for a subdomain to override this inheritance. However, each subdomain still needs its own SPF and DKIM records for DMARC to function correctly.

If your domain is not registered

For unused or parked domains, set the **DMARC TXT records to indicate that no email should come from them. This applies to the *.onmicrosoft.com domain if not used for email.

For online email service users

If you use an email service that modifies messages before delivery to Microsoft 365, mark the service as a trusted ARC sealer to prevent the modified messages from failing DMARC checks.

How Do You Create DMARC records for .onmicrosoft.com domains in Microsoft 365?

• Go to the Microsoft 365 admin center.

• Select **Show All

Settings > Domains**, or go directly to the Domains page using this link.

• On the Domains page, select the *.onmicrosoft.com domain by clicking anywhere in the row except the checkbox.

• In the domain details page, go to the **DNS records tab.

• Click **Add record on the DNS records tab.

• In the **Add a custom DNS record flyout, configure the following settings:

• Type: Verify that TXT (Text) is selected

• TXT Name: Enter dmarc - TXT Value: Enter v=DMARC1; p=reject - TTL: Verify that **1 hour or **3600 seconds is selected.

• When you’re finished on the **Add a custom DNS record flyout, select Save.

How Do You Configure DMARC for active custom domains in Microsoft 365?

It’s best for your **domain health and reputation if you gradually proceed toward the best protection against spoofing and phishing. Don’t set your DMARC record to p=reject right from the start; begin with p=none and monitor the results for testing and verifying to prevent recipients’ mailboxes from rejecting genuine emails because of unintentional DMARC failures.

We suggest you also opt to receive aggregate and forensic reports to get the **number and sources of emails that pass and fail DMARC checks. These reports give you insights into your email traffic, further helping you troubleshoot issues.

Once you gain confidence and the number of false positives goes down, move to p=quarantine and continue monitoring the aggregate and forensic reports. We suggest using the ‘pct=’ tag, also called the percentage tag. The pct tag in a DMARC record specifies the percentage of email messages to which the DMARC policy is applied. For example, pct=50 means the policy is applied to 50% of emails.

You can move in the following increment to test the policy’s impact on a portion of email traffic before applying it to all messages.

• pct=10

• pct=25

• pct=50

• pct=75

• pct=100

The end goal is to set the DMARC policy to **p=reject and continue reviewing the reports. You can also use the ‘pct=’ tag here.

DMARC for inbound emails in Microsoft 365

DMARC authentication checks for emails coming in Microsoft 365 are affected by the following features in Exchange Online Protection or EOP:

• Whether spoof intelligence is turned on or off in the anti-phishing policy. Turning it off removes implicit spoofing protection from composite authentication checks.

• Whether the “Honor DMARC record policy when the message is detected as spoof” setting is turned on or off in the anti-phishing policy. Actions are based on the DMARC policy of the source domain (p=quarantine or p=reject in the DMARC TXT record).

Also, note that Microsoft 365 doesn’t send DMARC forensic reports even if you add a valid ‘ruf=mailto:’ address to your DMARC record. On the bright side, it sends DMARC aggregate reports to all domains with a valid ‘rua=mailto :’ address in their DMARC records. However, this requires the MX record to point directly to Microsoft 365. This limitation applies to hybrid or standalone EOP scenarios where mail is first delivered to the **on-premises environment and then routed to Microsoft 365 using a connector.

We at DMARCReport help with everything related to receiving and **monitoring DMARC aggregate and forensic reports. So, if you feel stuck or confused at any point, contact us; we’ll handle the reports on your behalf.

Sources

• CISA Binding Operational Directive 18-01
• Microsoft Outlook DMARC Enforcement May 2025 (2025)
• PCI DSS v4.0 — DMARC Requirement (2025)
• RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)