What DMARC policy should I start with on Microsoft 365 domains?

Start with p=none to collect reports without blocking anything. Move to quarantine and reject only when SPF and DKIM alignment look healthy.

Where do I publish the DMARC record?

DMARC is a TXT record at _dmarc.yourdomain.com. It should start with v=DMARC1 and include a p= policy.

Why does DMARC fail even when SPF and DKIM pass?

DMARC cares about alignment. The domain in the visible From header must align with the domain authenticated by SPF or DKIM.

How to set up DMARC on Microsoft 365

Step by step DMARC setup for Microsoft 365: complete instructions, examples, verification commands, and common pitfalls.

Want to check your domain while following this guide?

Run a free SPF, DKIM and DMARC check on your domain to see exactly what is passing and what needs fixing.

No signup required. Works on any domain.

search Run a Free Domain Check notifications_active Monitor my domain

This is a reference guide for configuring DMARC on Microsoft 365. Use it while editing DNS or when troubleshooting deliverability.

Tip: Here’s a reliable, copy-pasteable way to set up DMARC using Microsoft 365. Then verify everything with the InboxGreen Free Checker.

Provider-specific notes for Microsoft 365

Microsoft 365 DKIM requires enabling signing per domain in the Security center. The DNS CNAME records can exist but DKIM still fails until signing is turned on.
SPF is simple, but tenants using multiple mail flows often forget to add their marketing or transactional tool's include alongside the Microsoft include.
Microsoft 365 admin → Settings → Domains → Pick domain → View DNS records.

DMARC policy ladder

DMARC connects SPF and DKIM to the visible From domain. The safe approach is to start in monitoring, fix alignment issues, then gradually move to stricter policies.

Stage	TXT value	When to use it
Monitor	`v=DMARC1; p=none; rua=mailto:[email protected]; fo=1`	Collect reports and understand who sends on your behalf.
Quarantine	`v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]; fo=1`	Quarantine a portion of failing mail. Raise `pct` as confidence grows.
Reject	`v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; fo=1`	Full protection once alignment is good and monitored.

Publish DMARC

Create a TXT record at host _dmarc with your chosen value.
Make sure the rua address exists and can receive XML reports.

Verify and troubleshoot

dig TXT _dmarc.yourdomain.com +short
nslookup -type=txt _dmarc.yourdomain.com

Check that either SPF or DKIM aligns with the visible From domain.
Debug failing sources before moving beyond p=none.

Related for Microsoft 365

quick_reference_all Set up SPF on Microsoft 365 quick_reference_all Set up DKIM on Microsoft 365 quick_reference_all Set up List-Unsubscribe on Microsoft 365

Pro tip: Turn on InboxGreen Monitoring to check these records daily and get alerts if something breaks.

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.

Useful tools

tune SPF Generator tune DMARC Generator verified Badges