In 2021, Gartner included Domain-based Message Authentication, Reporting & Conformance (DMARC) in its list of top 10 security projects. With very few exceptions, the best way for organizations to prevent getting impersonated in email attacks is to integrate DMARC into their Office 365-based email ecosystems.
To understand why, let’s consider the benefits of deploying DMARC within Office 365 environments, and tips for success when deploying DMARC for your organization.
Why O365 is Better with DMARC
Cisco Umbrella’s 2021 Cybersecurity Threat Trends report suggested phishing accounts for around 90% of data breaches. And when these scams contribute to a data breach, the cost to US businesses now averages $4.45 million in 2023 per incident, up % over the last three years, according to IBM’s Cost of a Data Breach report.
DMARC is designed to prevent that. DMARC is an email authentication standard that works as a policy layer for Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to help email receiving systems recognize when an email hasn’t been authorized by the company owning the “From:” header domain. DMARC provides instructions to email receiving systems on how to safely dispose of these unauthorized messages.
Its most aggressive enforcement policy is reject (p=reject), which means that email messages that do not pass DMARC authentication will be blocked from ever reaching their intended recipients. Less rigid policy settings include quarantine (p=quarantine), which places those emails in the spam folder, and monitor only (p=none), which allows organizations to monitor how their domain is being spoofed by themselves, but does not protect the recipients of those emails.
DMARC is already part of the robust security controls built into O365, so you have ample protection against most inbound phishing and spam attacks. In fact, you don’t have to do anything to implement DMARC for email that you receive within Office 365. What’s more, if you don’t use a custom domain for outbound email, but instead use the standard onmicrosoft.com subdomain, you don’t need to do anything else to configure or implement DMARC on your Office 365 tenant.
However, if your Office 365 tenant uses a custom domain (e.g., yourcompany.com), or if you rely on third-party services to send email — such as SendGrid, Mailchimp, Salesforce, Marketo, or others — you’ll need to implement DMARC yourself. But where do you begin with DMARC in an Office 365 environment? The following approaches will help you maximize the value of your DMARC deployment.
How to Set Up DMARC for O365
We recommend a multi-step plan for DMARC implementation. Execution for each step should start with a single subdomain, then proceed to other subdomains, and finally finish with the top-level domain in the organization, before moving to the next step.
- Step 1: Create a DMARC Record. Our DMARC Setup Tool will allow you to easily create the required TXT record. It should look something like this example: V=DMARC1; p=none; rua=mailto:dmarc-feedback@
[This example record instructs receiver systems to generate and send aggregate feedback to “dmarc-feedback@” your domain. The p=none tag indicates you are only interested in collecting feedback. Alternatively, you could use p=quarantine, or p=reject tags for emails that fail authentication.]
- Step 2: In your DNS, follow these DMARC setup steps to create a DNS TXT record. Log into the management console of your DNS hosting provider, and while this can vary by provider, you want to locate the page that allows you to add a DNS TXT record.
- Step 3: In the Type box, select “TXT Record Type”.
- Step 4: In the Host Value box, enter _dmarc as the “host”.
- Step 5: In the TXT Value box, enter the record you created using the DMARC Record Creator.
- Step 6: Save the DMARC record.
- Step 7: Validate the DMARC setup. You can use Fortra's DMARC Setup Tool to verify that DMARC has been set up correctly.
Employ Best Practices When Deploying DMARC for O365
Using a phased deployment when implementing DMARC is safer and ensures you don’t impact the rest of your email flow, especially for large organizations with a number of domains spanning divisions, departments, and third-party senders. Fortra's best practices for implementing DMARC include:
- Monitor the impact first. For large organizations setting up DMARC on numerous domains, we advise starting with a simple monitoring-mode record. A monitoring-mode record is a DMARC TXT record that has its policy set to p=none. Many organizations publish a DMARC TXT record this way because they’re unsure about how much email they may lose by publishing a more restrictive DMARC policy, and this allows them to monitor the impact before making edits.
- Include SPF and DKIM standards in your plans. Remember, you won’t be able to safely quarantine or reject mail with DMARC unless you implement SPF and DKIM on all legitimate sources of email. Your DMARC reports will show you all of the hosts sending email on behalf of your domain. Once you have successfully implemented SPF and DKIM on the legitimate mail sources, the fraudulent messages will be conspicuous because they will fail DMARC and will originate from servers that don’t belong to you or any of your authorized senders.
- Request that external mail systems quarantine any mail that fails DMARC. When you believe that most of your legitimate traffic is protected by SPF and DKIM and you understand the impact of implementing DMARC, you can implement a quarantine policy. By doing this, you are asking DMARC receivers to put messages from your domain that fail DMARC into the local equivalent of a spam folder instead of your customers’ inboxes.
- Configure external mail systems to reject messages that fail DMARC. Once you’re confident that all legitimate email is properly authenticated, the final step is to implement a reject policy. This instructs receiving mail servers not to deliver emails that fail DMARC checks. It is the strongest enforcement option, as it helps prevent unauthorized messages from reaching end users
When implementing DMARC for multiple domains, remember that DMARC records are hierarchical. This can be useful, as you may be able to specify a smaller number of high-level DMARC records for wider coverage. However, care should be taken when configuring explicit subdomain DMARC records where you do not want the subdomains to inherit the top-level domains' DMARC record.
Simplifying Enterprise DMARC Deployment While Strengthening Email Security
While deploying DMARC on a single domain is relatively simple, large-scale implementation is often more complex. Fortra played a key role in the development of the DMARC standard and pioneered early DMARC deployments, helping organizations achieve scale and efficiency in their implementations.
That’s why you might want to consider a solution like Fortra DMARC Email Authentication, which simplifies the challenges of implementing DMARC in Office 365 environments and helps reduce spoofed messages to near-zero levels. It also provides enhanced visibility into email activity, enabling organizations to use email security as a first line of defense to reduce their attack surface, strengthen core protections, and improve overall security posture.
