dmarciq email trust
Start monitoring
Guide • Microsoft 365

Microsoft 365 DMARC setup — monitor to reject in four sprints

Follow this playbook to align SPF and DKIM, configure DMARC reporting and move to enforcement without interrupting legitimate mailflows.

90-minute sprint blocks Change-ready checklists included

What you’ll need

  • Global admin access to Microsoft 365
  • DNS provider login (GoDaddy, Cloudflare, etc.)
  • dmarciq account with RUA inbox configured
Book a guided rollout

Step-by-step rollout

1. Baseline reporting and inventory

Sprint 1
  1. Enable DMARC reporting: Create a DNS TXT record _dmarc.yourdomain.com with v=DMARC1; p=none; rua=mailto:reports@dmarciq.app.
  2. Activate dmarciq reporting: Add your domains, confirm RUA receipt and invite stakeholders to dashboards.
  3. Inventory senders: Use the automatic sender discovery and export CSV to confirm with marketing, finance and HR.
Screenshot — DMARC record example
DMARC record builder screenshot

2. Align SPF and DKIM for first-party services

Sprint 2
  1. SPF review: Confirm Microsoft 365 record includes include:spf.protection.outlook.com and stay under 10 DNS lookups.
  2. DKIM enablement: In Microsoft 365 Defender → Email authentication settings generate selector keys, publish CNAMEs then toggle signing on.
  3. Validation: Send test messages to dmarciq’s verification inbox to confirm SPF pass and DKIM alignment.
Screenshot — Microsoft 365 DKIM selectors
Microsoft 365 DKIM selector panel

3. Third-party sender alignment

Sprint 3
  1. Prioritise high-volume services: Marketing automation, ticketing, CRM and ERP platforms.
  2. Share templates: Provide vendors with the security assurance letter and CSV export to confirm SPF/DKIM settings.
  3. Add monitoring gates: Create alerts in dmarciq for any fail or forwarder detections while policies remain at p=none.
Screenshot — Sender alignment dashboard
dmarciq sender alignment dashboard

4. Enforce policies safely

Sprint 4
  1. Policy progression: Shift to pct=50; p=quarantine for two reporting cycles, then pct=100.
  2. Escalation playbook: Route false positives via Microsoft 365 transport rules to quarantine review inbox.
  3. Move to reject: Update DMARC to p=reject once unauthenticated traffic is <1% for 14 days.
Screenshot — Policy progression timeline
Policy progression screenshot

Troubleshooting

SPF lookup limit reached

Flatten unnecessary include: statements, consolidate via dmarciq’s optimiser and remove unused vendors.

DKIM selector mismatch

Verify the selector1._domainkey CNAME is published with trailing dot and wait for DNS propagation before testing.

Forwarder causing fail

Enable ARC for the specific route or whitelist via dmarciq forwarder detection module.

Reports not arriving

Confirm mailbox size limits, allowlist reporting hosts and ensure DMARC record contains the correct mailto: URI.

Completion checklist

Download printable checklist