How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains
Best practice for domain email security protection is to protect yourself from spoofing using Domain-based Message Authentication, Reporting, and Conformance (DMARC). If you haven't already enabled DMARC for your domains, that should be the first step, detailed here: Domain-based Message Authentication, Reporting, and Conformance (DMARC)
This guide is designed to help you configure DMARC for domains not covered by the main DMARC article. These domains include domains that you're not using for email, but could be leveraged by attackers if they remain unprotected:
onmicrosoft.comdomain, also known as the Microsoft Online Email Routing Address (MOERA) domain.
- Parked custom domains that you're currently not using for email yet.
What you'll need
- Microsoft 365 admin center and access to your DNS provider hosting your domains.
- Sufficient permissions as Global Admin to make the appropriate changes in the Microsoft 365 admin center.
- 10 minutes to complete the steps in this article.
Activate DMARC for MOERA Domain
- Open the Microsoft 365 admin center at https://admin.microsoft.com.
- On the left-hand navigation, select Show All.
- Expand Settings and press Domains.
- Select your tenant domain (for example, contoso.onmicrosoft.com).
- On the page that loads, select DNS records.
- Select + Add record.
- A flyout will appear on the right. Ensure that the selected Type is TXT (Text).
_dmarcas TXT name.
- Add your specific DMARC value.
- Press Save.
Active DMARC for parked domains
- Check if SPF is already configured for your parked domain. For instructions, see Set up SPF to help prevent spoofing - Office 365 | Microsoft Docs
- Contact your DNS Domain provider.
- Ask to add this DMARC txt record with your appropriate email addresses:
v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org;ruf=mailto:email@example.com.
Wait until the DNS changes are propagated and try to spoof the configured domains. Check if the attempt is blocked based in the DMARC record, and you receive a DMARC report.