I am using Microsoft 365 Business emali (Exchange) online. I have created the following TXT record for _dmarc:v=DMARC1; p=quarantine; pct=100; rua=mailto:email address removed for privacy reasons; ruf=email address removed for privacy reasonsI keep on receiving reports that there are failures with my Dmarc record. Any idea how to fix this? Sample XML error report below:<?xml version="1.0"?><feedback xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <version>1.0</version> <report_metadata> <org_name>Enterprise Outlook</org_name> <email>email address removed for privacy reasons</email> <report_id>640f326a62f640e4815e84e6f0020d9c</report_id> <date_range> <begin>1730764800</begin> <end>1730851200</end> </date_range> </report_metadata> <policy_published> <domain>z.com</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <pct>100</pct> <fo>0</fo> </policy_published> <record> <row> <source_ip>40.107.96.92</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <envelope_to>b.net</envelope_to> <envelope_from>z.com</envelope_from> <header_from>z.com</header_from> </identifiers> <auth_results>Thanks!!!!

Check SPF Record ( v=spf1 include:spf.protection.outlook.com -all )Please ensure that this SPF record is published in your DNS records for the domain you’re using with Microsoft 365Check and Enable DKIM Signing in Microsoft 365 (Without DKIM enabled, emails from your domain may fail DMARC checks)Enable DKIM:Go to the Microsoft 365 Defender portal at https://security.microsoft.com.Select Email & collaboration > Policies & rules > Threat policies.Under Policies, choose DKIM.Select your domain and enable DKIM signing.Enabling DKIM in Microsoft 365 may require you to add additional CNAME records to your DNS configuration.Your DMARC record is set to p=quarantine, which tells receiving servers to quarantine messages that fail DMARC checks. However, the XML report shows p=none for the policy published, which could indicate a discrepancy or that some servers aren’t interpreting your quarantine policy correctly, confirm that your DMARC TXT record is correctly publishedDMARC record sample: v=DMARC1; p=quarantine; pct=100; rua=mailto:email address removed for privacy reasons; ruf=mailto:email address removed for privacy reasonsRemember after making changes to SPF, DKIM, or DMARC records, it may take some time for DNS records to propagate. You can verify DNS records using tools like MXToolbox or DMARC Analyzer.If you’re not receiving DMARC reports as expected, confirm that the rua and ruf emails specified in your DMARC record are correct and that your email server is not blocking these reports.

EMR88

Copper Contributor

Nov 07, 2024

Solved

DMarc Issues

I am using Microsoft 365 Business emali (Exchange) online. I have created the following TXT record for _dmarc:

v=DMARC1; p=quarantine; pct=100; rua=mailto:email address removed for privacy reasons; ruf=email address removed for privacy reasons

I keep on receiving reports that there are failures with my Dmarc record. Any idea how to fix this? Sample XML error report below:

<?xml version="1.0"?>
<feedback xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<version>1.0</version>
<report_metadata>
<org_name>Enterprise Outlook</org_name>
<email>email address removed for privacy reasons</email>
<report_id>640f326a62f640e4815e84e6f0020d9c</report_id>
<date_range>
<begin>1730764800</begin>
<end>1730851200</end>
</date_range>
</report_metadata>
<policy_published>
<domain>z.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
<fo>0</fo>
</policy_published>
<record>
<row>
<source_ip>40.107.96.92</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<envelope_to>b.net</envelope_to>
<envelope_from>z.com</envelope_from>
<header_from>z.com</header_from>
</identifiers>
<auth_results>

Thanks!!!!

admin

Authentication

exchange

Exchange admin center

microsoft 365 admin center

Mks_1973
Nov 09, 2024
Check SPF Record ( v=spf1 include:spf.protection.outlook.com -all )
Please ensure that this SPF record is published in your DNS records for the domain you’re using with Microsoft 365

Check and Enable DKIM Signing in Microsoft 365 (Without DKIM enabled, emails from your domain may fail DMARC checks)

Enable DKIM:
Go to the Microsoft 365 Defender portal at https://security.microsoft.com.
Select Email & collaboration > Policies & rules > Threat policies.
Under Policies, choose DKIM.
Select your domain and enable DKIM signing.
Enabling DKIM in Microsoft 365 may require you to add additional CNAME records to your DNS configuration.

Your DMARC record is set to p=quarantine, which tells receiving servers to quarantine messages that fail DMARC checks. However, the XML report shows p=none for the policy published, which could indicate a discrepancy or that some servers aren’t interpreting your quarantine policy correctly, confirm that your DMARC TXT record is correctly published

DMARC record sample: v=DMARC1; p=quarantine; pct=100; rua=mailto:email address removed for privacy reasons; ruf=mailto:email address removed for privacy reasons

Remember after making changes to SPF, DKIM, or DMARC records, it may take some time for DNS records to propagate. You can verify DNS records using tools like MXToolbox or DMARC Analyzer.

If you’re not receiving DMARC reports as expected, confirm that the rua and ruf emails specified in your DMARC record are correct and that your email server is not blocking these reports.

Mks_1973
Iron Contributor
Nov 09, 2024
Check SPF Record ( v=spf1 include:spf.protection.outlook.com -all )
Please ensure that this SPF record is published in your DNS records for the domain you’re using with Microsoft 365

Check and Enable DKIM Signing in Microsoft 365 (Without DKIM enabled, emails from your domain may fail DMARC checks)

Enable DKIM:
Go to the Microsoft 365 Defender portal at https://security.microsoft.com.
Select Email & collaboration > Policies & rules > Threat policies.
Under Policies, choose DKIM.
Select your domain and enable DKIM signing.
Enabling DKIM in Microsoft 365 may require you to add additional CNAME records to your DNS configuration.

Your DMARC record is set to p=quarantine, which tells receiving servers to quarantine messages that fail DMARC checks. However, the XML report shows p=none for the policy published, which could indicate a discrepancy or that some servers aren’t interpreting your quarantine policy correctly, confirm that your DMARC TXT record is correctly published

DMARC record sample: v=DMARC1; p=quarantine; pct=100; rua=mailto:email address removed for privacy reasons; ruf=mailto:email address removed for privacy reasons

Remember after making changes to SPF, DKIM, or DMARC records, it may take some time for DNS records to propagate. You can verify DNS records using tools like MXToolbox or DMARC Analyzer.

If you’re not receiving DMARC reports as expected, confirm that the rua and ruf emails specified in your DMARC record are correct and that your email server is not blocking these reports.
bwestnedge
Copper Contributor
Nov 08, 2024
Hi, there isn't a problem with your DMARC record, or you wouldn't have received the DMARC report.

The DMARC report is saying that your message failed both SPF and DKIM.

The DMARC report seems to indicate that your DMARC policy is "none" but I would definitely roll back from quarantine to none if you haven't already until you fix the issue, and refer to https://learn.microsoft.com/en-us/defender-office-365/email-authentication-about for more info.
Kidd_Ip
MVP
Nov 08, 2024
Worth to take a look at this:

Announcing New DMARC Policy Handling Defaults for Enhanced Email Security | Microsoft Community Hub

Forum Discussion

DMarc Issues

Share

Resources