For Microsoft 365, add a DMARC TXT record at _dmarc.yourdomain.com with v=DMARC1; p=none; rua=mailto:[email protected]. Ensure SPF includes spf.protection.outlook.com and custom DKIM is enabled in Microsoft Defender. Start at p=none, monitor reports for 2-4 weeks, then advance to quarantine and reject using the pct= tag for gradual rollout.
DMARC for Microsoft 365: Complete Configuration
Prerequisites
Configure these before adding DMARC:
- SPF: Add
include:spf.protection.outlook.comto your SPF record - DKIM: Enable custom DKIM signing in Microsoft Defender
- Test: Send email and verify
spf=passanddkim=passin headers
Add the DMARC Record
Add a TXT record to your DNS:
Host: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:[email protected]
M365-Specific Gotchas
Default DKIM doesn't align. This is the biggest M365 DMARC issue. Microsoft signs outbound email with DKIM by default — but using your .onmicrosoft.com domain. That means DKIM passes, but doesn't align with your custom From domain. You must enable custom DKIM for DMARC to work properly.
Exchange mail flow rules. If you have transport rules that modify message content (adding disclaimers, rewriting subjects), they can break DKIM if signing happens before the rule. Check the order of operations in your mail flow.
Hybrid Exchange. If you're running hybrid Exchange (on-premises + M365), authentication can be complex. On-premises servers need their own SPF entries and DKIM signing.
Practitioner note: I'd estimate 60% of the M365 domains I audit have DMARC configured but custom DKIM disabled. They're running on SPF alignment alone, which means every forwarded message fails DMARC. Enable custom DKIM — it takes five minutes and eliminates the most common failure scenario.
Monitor Reports
Use a DMARC monitoring tool to analyze aggregate reports. Look for:
- M365 IPs passing both SPF and DKIM — your setup is correct
- M365 IPs passing SPF but failing DKIM — custom DKIM isn't enabled
- Unknown IPs — either spoofing or a service you forgot about
Common M365-adjacent services that send email:
- SharePoint Online notifications
- Power Automate flows
- Dynamics 365
- Teams meeting invites
- Third-party apps connected via Microsoft Graph
Practitioner note: Power Automate is a sneaky one. People build flows that send email as the organization, and they don't realize those emails need to pass DMARC too. If you're using Power Automate to send notifications, check that it's going through Exchange Online with proper authentication.
Advance Your Policy
Follow the standard DMARC advancement timeline using the pct= tag for gradual rollout.
If you're managing M365 with hybrid Exchange, multiple domains, or complex mail flow rules, I can audit your configuration and build a safe advancement plan.
Sources
- Microsoft: Set up DMARC for your domain
- Microsoft: DMARC in Exchange Online
- Microsoft: SPF for M365
- dmarcian: M365 DMARC Guide
v1.0 · April 2026
Frequently Asked Questions
How do I set up DMARC with Microsoft 365?
Add a TXT record at _dmarc.yourdomain.com. Ensure SPF includes spf.protection.outlook.com and DKIM is enabled in Defender. Start at p=none and advance gradually.
Does Microsoft 365 send DMARC reports?
Yes. Microsoft sends DMARC aggregate reports to the rua= address specified in other domains' DMARC records. Microsoft also processes incoming DMARC policies.
What SPF record do I need for Microsoft 365?
Include v=spf1 include:spf.protection.outlook.com ~all in your SPF record. Add other senders' includes if you use additional services.
Why is DMARC failing for my M365 email?
Most likely custom DKIM isn't enabled. M365 signs with the onmicrosoft.com domain by default, which doesn't align with your custom From domain for DMARC.
Does M365 support DMARC for inbound email?
Yes. Exchange Online Protection evaluates DMARC policies on incoming email and can quarantine or reject messages that fail the sender's DMARC policy.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.