DMARC Implementation in O365

Domain-based message authentication, reporting, and conformance (DMARC) with the Sender Policy Framework (SPF) and DomainKeys Identity Mail (DKIM) authenticate mail senders and ensures that the destination email system sends messages from your domain. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing emails. DMARC helps the mail system determine what to do with messages sent from your domain that fail the SPF or DKIM check.

However, there are other syntax options that are not mentioned here, these are the most commonly used options for Office 365. DMARC TXT records for your domain in the format:

         _dmarc.abc.com  TTL IN TXT "v=DMARC1; p=policy; pct=100”

Here domain is the one you want to protect. By default, the record saves mail from domains and all subdomains. For example, if you specify _dmarc.abc.com, DMARC protects mail from domains and all sub-domains, such as housewares.abc.com or plumbing.abc.com.

TTL must always equal one hour. The unit used for TTL, either hour (1 hour), minute (60 minutes), or seconds (3600 seconds), will vary depending on the registrar for your domain.

pct=100 indicates that this rule should be used for 100%  email.

The policy specifies what policy you want the receiving server to follow if DMARC fails. You can set the policy to, none, quarantine, or reject.

DMARC TAG OPTIONS:

The DMARC tag is the language of the DMARC standard. They tell the email receiver to check for DMARC and what to do with messages failing DMARC authentication

v = This version is the tag that identifies the records that have been retrieved as DMARC records. Its value must be DMARC1 and listed first in the DMARC record

p = This indicates the requested policy you wish mailbox providers to apply when your email fails DMARC. Options are none, reject, quarantine

•  None:- means "take no action, just collect data and send the report"

•  quarantine:- means “treat with suspicion”

•  reject:-  means “block outright”.

pct = percentage of messages on which DMARC policy is to be applied

rua = This is a tag that lets mailbox providers know where you want to send the total report. Aggregate reports provide visibility into the health of your email program by helping identify potential reports or malicious activity.

ruf = This tag lets mailbox providers know where you want to send your forensic (message-level) report.

External DNS on your custom domain creates new TXT records and types in values

                          Name: _dmarc

Type: TXT

Value: v=DMARC1; p=none; pct=100; rua=mailto:support@abc.com; ruf=mailto:support@abc.com

           You can verify the DMARC records by going to the link DMARC INSPECTOR

Examples:

1. Policy set to none

             _dmarc.abc.com 3600 IN  TXT "v=DMARC1; p=none"

2. Policy set to quarantine

            _dmarc.abc.com 3600 IN  TXT "v=DMARC1; p=quarantine"

3. Policy set to reject

           _dmarc.abc.com  3600 IN TXT "v=DMARC1; p=reject"

Once you create your record, you will need to update the record at your domain registrar.