---
title: "Do Office 365 Users Need DMARC? Configuring DMARC for Office 365 | DuoCircle"
description: "If you are seeking a one-liner answer to ‘Do Office 365 users need DMARC?’ then it’s ‘Yes, they do need DMARC protection."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/dmarc/office-365-users-need-dmarc-configuring-dmarc-office-365/"
---

Quick Answer

Office 365 users do need DMARC. Microsoft enables outbound DMARC but doesn't provide reporting or monitoring, and it lacks visibility into SPF and DKIM configuration, leaving the domain exposed to spoofing without warning. For inbound mail, Office 365 honors DMARC automatically. For outbound mail on the onmicrosoft.com domain, SPF and DKIM are set up by default. For a custom domain: (1) inventory authorized sending IPs and check that 5321.MailFrom and 5322.From align for third-party senders; (2) generate an SPF TXT record starting with v=spf1, ending in -all (hardfail) or \~all (softfail), avoiding the deprecated ptr mechanism, and using include: for vendors; (3) set up DKIM with your own keys (relying on Microsoft 365 default DKIM can cause DMARC failures because of MailFrom/From mismatch); (4) publish a DMARC TXT record with v= and p= (none, quarantine, or reject) and add rua and ruf for reporting. Recommended rollout: start at p=none for 3 to 4 weeks, move to p=quarantine, then p=reject using the pct tag to ramp gradually. Set explicit subdomain policies (sp=) where needed. The post recommends against DIYing the rollout because of the cost of misconfiguration.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Foffice-365-users-need-dmarc-configuring-dmarc-office-365%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Do%20Office%20365%20Users%20Need%20DMARC%3F%20Configuring%20DMARC%20for%20Office%20365&url=undefined%2Fblog%2Fdmarc%2Foffice-365-users-need-dmarc-configuring-dmarc-office-365%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Foffice-365-users-need-dmarc-configuring-dmarc-office-365%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Foffice-365-users-need-dmarc-configuring-dmarc-office-365%2F&title=Do%20Office%20365%20Users%20Need%20DMARC%3F%20Configuring%20DMARC%20for%20Office%20365 "Share on Reddit") [ ](mailto:?subject=Do%20Office%20365%20Users%20Need%20DMARC%3F%20Configuring%20DMARC%20for%20Office%20365&body=Check out this article: undefined%2Fblog%2Fdmarc%2Foffice-365-users-need-dmarc-configuring-dmarc-office-365%2F "Share via Email") 

![DMARC for Office 365](https://media.mailhop.org/duocircle/images/2023/12/spf-record-checker-1.jpg) 

If you are seeking a one-liner answer to ‘Do Office 365 users need DMARC?’ then it’s ‘**Yes**, they do need [DMARC](/resources/what-is-dmarc) protection.

Here’s a more explanatory answer to help you understand everything better.

While DMARC can be enabled for outbound emails in Office 365, it **doesn’t offer reporting** and monitoring, which means it can’t replace third-party [email protection](/email-security/reducing-the-risk-of-email-impersonation-attacks-6-email-security-measures-you-need-to-consider/). This keeps [Office 365 users at a high risk of phishing](https://www.techradar.com/pro/microsoft-365-users-targeted-by-major-phishing-campaign) and [domain spoofing](https://www.cloudflare.com/learning/ssl/what-is-domain-spoofing/#:~:text=Domain%20spoofing%20is%20when%20cyber,as%20if%20it%20were%20legitimate.), underlining the need to configure SPF, DKIM, and DMARC.

This Microsoft platform **lacks a mechanism** to provide visibility into SPF or DKIM configuration, which gives a hacker the opportunity to [infiltrate your email ecosystem](https://www.geekwire.com/2023/chinese-hacking-group-exploited-multiple-microsoft-flaws-to-access-u-s-government-email-accounts/) without tipping you off at all. 

## Configuring DMARC for Inbound Emails Received in Office 365

_As users, you don’t have to do anything to set up DMARC for inbound emails._ 

## Configuring DMARC for Outbound Emails Sent From Office 365

If you use the onmicrosoft.com domain, then [Sender Policy Framework](/content/sender-policy-framework) (SPF) is already set up for you and DKIM keys will also be **generated automatically** for messages you send. 

But if you are using a [custom domain](https://www.namecheap.com/guru-guides/what-is-a-custom-domain/) for your company, then here’s what you need to follow:

### Step 1: Gather a List of Sending Sources Authorized By You

Identify which all IP addresses should be included in the list of authorized senders. Also, consider if [the 5321.MailFrom and 5322.From domains](https://www.easy365manager.com/rfc-5321-and-rfc-5322/) match for emails sent from **third-party vendors** on your behalf. 

### Step 2: Generate an SPF Record For Your Custom Domain

You can use an online [SPF record generator](/content/spf-records/spf-record-generator) to create a TXT record. Ensure it begins with v=spf1 and ends with either ‘-all’ or ‘\~all,’ indicating a hardfail or softfail, respectively. Follow the best practices and **avoid using the ‘ptr’ mechanism**, as it’s deprecated due to being slow and unreliable. _Use the **‘include’ tag** to add sending sources of third-party vendors allowed to send messages on your behalf._ 

[![email security report](https://media.mailhop.org/duocircle/images/2023/12/spf-record-checker-2.jpg)](https://media.mailhop.org/duocircle/images/2023/12/spf-record-checker-2.jpg)

### Step 3: Generate a DKIM Record For Your Custom Domain

After configuring the [SPF record](/content/sender-policy-framework/spf-record) for your custom domain, focus on generating a pair of cryptographically secured DKIM keys to add a **digital signature** to outgoing emails. 

_It’s recommended not to rely on Microsoft 365’s default DKIM configurations because, in that case, Microsoft 365 would work as per the default [DKIM](/resources/what-is-dkim) configurations, which can **cause DMARC to fail**._ This would happen due to the mismatch between the 5321.MailFrom and the 5322.From addresses in all the emails sent from your domain.

To prevent DMARC failures and potential [email spoofing issues](https://today.ucsd.edu/story/forwarding%5Fbased%5Fspoofing), set up [DKIM Office 365](/resources/dkim-office-365) for your domain with third-party senders. This not only allows Microsoft 365 to authenticate their emails but also enables other providers like Yahoo and Gmail to verify them as legitimate, fostering **trust across mailboxes** and preventing spam classification.

### Step 4: Create a DMARC Record For You Custom Domain

Visit your DNS hosting provider and find the option to [create DMARC record](/resources/create-dmarc-records) or find the **TXT section to edit**. Choose the DNS record type as ‘TXT’ and add the host value.

Next, add the **mandatory ‘v’ and ‘p’ tags** to add the DMARC version and specify the [DMARC policy](/resources/dmarc-policy), respectively. _The “p=” can be paired with none, quarantine, or reject. As tag-value pairs, they would look like: p=none or p=quarantine or p=reject._

- The ‘none’ policy instructs recipients’ mailboxes to take **no action** against unauthorized messages.
- The ‘quarantine’ policy instructs recipients’ mailboxes to place unauthorized messages in the **spam folders**.
- The ‘reject’ policy instructs recipients’ mailboxes to **reject** unauthorized messages.

Although adding ‘rua’ and ‘ruf’ tags aren’t mandatory but, they are **highly recommended**. The ‘rua’ and ‘ruf’ tags allow you to specify email addresses where you want to receive [DMARC aggregate and forensic reports](/resources/dmarc-aggregate-report), respectively. _Deploying DMARC without reporting and monitoring is only half efficient._ 

## Best Practices for Configuring and Managing DMARC For Microsoft Office 365 Custom Users

[SPF, DKIM, and DMARC](/email-security/comparison-between-spf-dkim-and-dmarc/) work together to ensure convenience and security coexist. To leverage the **optimum benefit** of setting up [DMARC for Office 365](/content/dmarc-report/office365-dmarc), you must consider the following-

### Gradually Advance Your Policies

As a new user, use the ‘none’ policy and monitor your domain’s performance for **around 3-4 weeks**. Then, move to the ‘quarantine’ policy instead of the ‘reject’ policy to ensure minimal impact of false positives on [email marketing ROI](https://www.constantcontact.com/blog/what-is-the-roi-of-email-marketing/) and general communication.

While shifting to the strictest policy, that is p=reject, use the [pct tag (percentage tag)](https://mxtoolbox.com/dmarc/details/dmarc-tags/dmarc-percentage) to apply it to only a prespecified chunk of messages. You can increase the percentage to 100 only when there are very **rare instances of false positives**. 

### Setup DMARC for Subdomains

DMARC works by stating a policy in a special record in DNS. It follows a hierarchy, meaning a policy for “sample.com” will affect subdomain.sample.com unless there’s a different rule for the subdomain. This is useful as it lets organizations use fewer general DMARC rules for broader coverage. But be careful- if you don’t want subdomains to follow the main domain’s rules, **set up specific** DMARC records for them.

_You can use a [wildcard-type DMARC rule](https://www.cloudns.net/wiki/article/190/) with the “sp=reject” value if you don’t want any subdomains to send emails._

### Avoid DIYing DMARC

DIYing DMARC, or attempting to [implement DMARC](/email-services/google-yahoo-mandatory-to-deploy-dmarc-for-more-than-5000-daily-emails/) on your own, is **not recommended** due to its complexities and potential pitfalls. DMARC involves configuring DNS records, setting policies, and interpreting reports, which can be challenging for those without specialized knowledge of [email authentication](/email-security/how-to-secure-online-email-transactions-for-trading-platforms-with-email-authentication/) protocols. 

**Misconfigurations** can lead to unintended consequences, such as blocking legitimate emails or leaving the domain [vulnerable to phishing attacks](https://www.scmagazine.com/news/attackers%5Fsalesforce%5Ffacebook-phishing-attacks). Professional expertise ensures a proper setup, **reducing the risk of errors** and enhancing the effectiveness of DMARC in preventing email spoofing and phishing. 

[![email deliverability](https://media.mailhop.org/duocircle/images/2023/12/spf-record-generator-3492.jpg)](https://media.mailhop.org/duocircle/images/2023/12/spf-record-generator-3492.jpg)

Therefore, seeking **professional assistance is advisable** to successfully navigate the intricacies of DMARC implementation. **DuoCircle** is always available to help you with anything related to [cybersecurity](/), email authentication, and [email deliverability](/a-guide-on-email-deliverability). Feel free to [book a demo](/demo-request).

## Topics

DMARCemail securityNews 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  DMARC 5m  Why DIY-ing DMARC could cost you more than you think  Apr 30, 2026 ](/blog/why-diy-ing-dmarc-could-cost-more-than-you-think/)[  DMARC 7m  DMARC at p=none Is a Setup State, Not a Deployment  May 5, 2026 ](/blog/dmarc-p-none-is-a-setup-not-a-deployment/)[  DMARC 6m  How to become a DMARC expert: a 6-step learning path  Sep 24, 2024 ](/blog/dmarc/a-detailed-guide-on-becoming-a-dmarc-expert/)[  DMARC 5m  A Guide to Advancing DMARC Policies for Enhanced Email Deliverability  Jan 19, 2024 ](/blog/dmarc/a-guide-to-advancing-dmarc-policies-for-enhanced-email-deliverability/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Do Office 365 Users Need DMARC? Configuring DMARC for Office 365","description":"If you are seeking a one-liner answer to ‘Do Office 365 users need DMARC?’ then it’s ‘Yes, they do need DMARC protection.","url":"https://www.duocircle.com/blog/dmarc/office-365-users-need-dmarc-configuring-dmarc-office-365/","datePublished":"2023-12-06T15:22:53.000Z","dateModified":"2025-05-08T15:52:12.000Z","dateCreated":"2023-12-06T15:22:53.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/office-365-users-need-dmarc-configuring-dmarc-office-365/"},"articleSection":"dmarc","keywords":"DMARC, email security, News","wordCount":967,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/12/spf-record-checker-1.jpg","caption":"DMARC for Office 365","width":900,"height":430},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"Do Office 365 Users Need DMARC? Configuring DMARC for Office 365","item":"https://www.duocircle.com/blog/dmarc/office-365-users-need-dmarc-configuring-dmarc-office-365/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Do Office 365 Users Need DMARC? Configuring DMARC for Office 365","item":"https://www.duocircle.com/blog/dmarc/office-365-users-need-dmarc-configuring-dmarc-office-365/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Do Office 365 Users Need DMARC? Configuring DMARC for Office 365","description":"If you are seeking a one-liner answer to ‘Do Office 365 users need DMARC?’ then it’s ‘Yes, they do need DMARC protection.","url":"https://www.duocircle.com/blog/dmarc/office-365-users-need-dmarc-configuring-dmarc-office-365/","datePublished":"2023-12-06T15:22:53.000Z","dateModified":"2025-05-08T15:52:12.000Z","dateCreated":"2023-12-06T15:22:53.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/office-365-users-need-dmarc-configuring-dmarc-office-365/"},"articleSection":"dmarc","keywords":"DMARC, email security, News","wordCount":967,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/12/spf-record-checker-1.jpg","caption":"DMARC for Office 365","width":900,"height":430},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```