← Back to Learn Hub

How to Set Up DMARC for Office 365 (Microsoft 365)

Setting up DMARC for Office 365 catches a lot of people out, because there is no DMARC switch inside Microsoft 365. DMARC is a record you publish in your domain's DNS, and Microsoft reads it from there. This guide shows you exactly what to publish and how to roll it out without breaking your email.

DMARC tells providers like Gmail and Outlook what to do with mail that fails authentication, and it gives you reports on who is sending as your domain. Without it, anyone can send email that looks like it comes from you.

Where DMARC lives (it's not a Microsoft 365 setting)

DKIM has a toggle in the Microsoft 365 Defender portal. DMARC does not. As Microsoft's own documentation puts it, you enable DMARC for a domain by creating a TXT record in DNS. There is no button to switch on inside Microsoft 365.

So if you have been hunting through the admin center for a DMARC option, that's why you can't find one. The work happens in your DNS, wherever your domain is hosted.

Before you start: SPF and DKIM first

DMARC relies on SPF and DKIM, so set those up before you publish a DMARC record. DMARC checks that a message passes SPF or DKIM and that the domain lines up (aligns) with the address in the From field.

If you haven't done these yet, start with our guide to setting up DKIM for Office 365, then come back here for DMARC.

Step 1: Create your DMARC record

A DMARC record is a single line of text. A safe starting record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Here, v=DMARC1 marks it as a DMARC record, p=none means monitor only (nothing is blocked yet), and rua is the address where the daily aggregate reports are sent. Starting at p=none lets you see who sends as your domain before you turn on blocking.

Step 2: Publish the record in your DNS

Add the record as a TXT entry in your DNS, wherever your domain is managed (your registrar or DNS host).

  • Type: TXT
  • Host / Name: _dmarc
  • Value: your DMARC record (the v=DMARC1 line above)
  • Save, then allow time for DNS to update. It can take up to 48 hours, though often much faster.

Step 3: Move to enforcement

p=none protects nobody on its own. It only watches. Once your reports confirm your real senders (Microsoft 365 and any other tools) are passing, tighten the policy in stages: move from p=none to p=quarantine (failing mail goes to spam), then to p=reject (failing mail is blocked).

Don't jump straight to reject. If a legitimate sender isn't yet covered, reject can block your own email, so step through the policies as your reports come back clean.

How to check it worked

After the record has propagated, confirm it with our free DMARC checker. It reads your published record and shows your policy in plain English. As reports arrive at your rua address, you'll also see which senders pass and which need attention.

Common problems

Most Office 365 DMARC confusion comes down to a few things.

  • Looking for a DMARC setting in Microsoft 365: there isn't one. It's a DNS record.
  • Record published at the wrong name: the host must be _dmarc, not your full domain.
  • Policy stuck at p=none: the record exists but isn't blocking anything yet. Move to quarantine or reject once senders pass.
  • Mail failing after enforcement: a real sender isn't covered by SPF or DKIM. Fix that before tightening further.

Check your domain now

Enter your domain to see your current email security status.

Frequently Asked Questions

Where do I set up DMARC in Office 365?

You don't set DMARC inside Microsoft 365. There's no toggle for it. DMARC is a TXT record you publish in your domain's DNS at the host _dmarc. Microsoft 365 reads it from there. The only authentication toggle in the Defender portal is for DKIM, not DMARC.

Does Microsoft 365 create a DMARC record automatically?

No. Microsoft 365 doesn't generate or publish a DMARC record for your custom domain. You write the record yourself and add it to your DNS. Microsoft only reads the record when it evaluates incoming mail; it never creates one for you.

What DMARC policy should I use for Office 365?

Start at p=none to monitor without blocking anything. Once your reports confirm Microsoft 365 and your other senders pass, move to p=quarantine, then p=reject for full protection. Reject is the goal, but only after you've confirmed your real mail passes.

Do I need SPF and DKIM before DMARC?

Yes. DMARC works by checking the results of SPF and DKIM and whether they align with your From address. If neither is set up, DMARC has nothing to validate. Set up DKIM for Office 365 and SPF first, then publish your DMARC record.

Setting up DMARC for Office 365 comes down to publishing one DNS record, then tightening the policy as your reports confirm your senders pass. There's no switch inside Microsoft 365. It all happens in your DNS.

Check your record any time with our DMARC checker. If you'd rather not manage the rollout and reports yourself, readyDMARC sets up and monitors DMARC for you.

Related Articles

How to Set Up DKIM for Office 365 (Microsoft 365)

Set up DKIM for Office 365: create your DKIM keys in the Microsoft 365 Defender portal, add the two ...

Read more →

What Is DMARC? How It Protects Your Email

Learn what DMARC is, how it stops email spoofing and phishing, and why every domain needs a DMARC po...

Read more →

How to Set Up DMARC for Google Workspace (Gmail)

Set up DMARC for Google Workspace (Gmail): publish the _dmarc DNS record, pick a policy, and move to...

Read more →

Misconfiguring this is easy, and costly

One wrong record can let attackers send email as your domain, or block your own legitimate mail once you turn on enforcement. Getting from a published record to real protection, without breaking delivery, is where most teams get stuck. Our specialists set up SPF, DKIM, and DMARC for you and roll it out safely, checking at every stage.

Book a call with our team