Edit

How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains

Best practice for domain email security protection is to protect yourself from spoofing using Domain-based Message Authentication, Reporting, and Conformance (DMARC). Enabling DMARC for your domains should be the first step as described here: Set up DMARC to validate the From address domain for cloud senders

This guide is designed to help you configure DMARC for domains not covered by the main DMARC article. These domains include domains that you're not using for email, but could be used by attackers if they remain unprotected:

  • Your onmicrosoft.com domain, also known as the Microsoft Online Email Routing Address (MOERA) domain.
  • Parked custom domains that you're currently not using for email yet.

What you need

  • Microsoft 365 admin center and access to your DNS provider hosting your domains.
  • Sufficient permissions as a Global Administrator* to make the appropriate changes in the Microsoft 365 admin center.
  • 10 minutes to complete the steps in this article.

Important

* Microsoft strongly advocates for the principle of least privilege. Assigning accounts only the minimum permissions necessary to perform their tasks helps reduce security risks and strengthens your organization's overall protection. Global Administrator is a highly privileged role that you should limit to emergency scenarios or when you can't use a different role.

Activate DMARC for MOERA Domain

  1. Open the Microsoft 365 admin center at https://admin.microsoft.com.
  2. On the left-hand navigation, select Show All.
  3. Expand Settings and press Domains.
  4. Select your tenant domain (for example, contoso.onmicrosoft.com).
  5. On the page that loads, select DNS records.
  6. Select + Add record.
  7. A flyout opens. Ensure that the selected Type is TXT (Text).
  8. Add _dmarc as TXT name.
  9. Add your specific DMARC value. For more information, see Syntax for DMARC TXT records.
  10. Press Save.

Active DMARC for parked domains

  1. Check if SPF is already configured for your parked domain. For instructions, see SPF TXT records for custom cloud domains.
  2. Contact your DNS Domain provider.
  3. Ask to add this DMARC txt record with your appropriate email addresses: v=DMARC1; p=reject; rua=mailto:d@rua.contoso.com;ruf=mailto:d@ruf.contoso.com.

Next Steps

Wait until the DNS changes are propagated and try to spoof the configured domains. Check if the attempt is blocked based in the DMARC record, and you receive a DMARC report.

More Information

Set up SPF to identify valid email sources for your custom cloud domains.

Set up DMARC to validate the From address domain for cloud senders.

  • Last updated on