Domain-Based Message Authentication, Reporting, and Conformance SHALL Be Enabled

Description

Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with SPF and DKIM to authenticate mail senders and ensure that destination email systems can validate messages sent from your domain. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks

Policy

  • A DMARC policy SHALL be published for every custom domain.

  • The DMARC message rejection option SHALL be “p=reject.”

Licensing Considerations

Any tenant can perform this configuration

Set Up Instructions

Use DMARC to validate email, setup steps - Office 365 | Microsoft Learn

Use DMARC to validate email, setup steps - Office 365 | Microsoft Learn

DMARC implementation varies depending on how an agency manages its DNS records. See Form the DMARC TXT record for your domain | Microsoft Docs for Microsoft guidance. DMARC records can be requested using the PowerShell tool Resolve-DnsName. For example:

Resolve-DnsName _dmarc.example.com txt

Replace “example.com” in the example with the domain(s) used for your agency’s emails. Ensure that (1) the DNS record exists, (2) “p=reject;” is included in the policy returned from the query

End-User Impact

Level: Low

While there is no direct impact to end-users, they should experience better outbound mail flow delivery with DMARC in place,

Tips

None Currently

PowerShell Scripts

None Currently

Videos

PreviousDomainKeys Identified Mail SHOULD Be EnabledNextEnable Email Encryption

Last updated