DMARC isn’t hard. It’s just not obvious.
It's is a powerful tool for preventing domain spoofing and phishing...but implementing it in Microsoft 365 isn't as simple as flipping a switch. Below are the real-world challenges M365 admins face, drawn from messy inboxes, broken marketing emails, and late-night support tickets.
1. DKIM Isn't Automatic for Your Domain
Just because you're using Microsoft 365 doesn't mean DKIM is working. Microsoft only auto-signs messages from its onmicrosoft.com domain. For your custom domain, you need to manually publish DKIM CNAME records and enable signing in the Defender portal or via PowerShell. Most admins don't realize this until DMARC reports start showing failures.
Microsoft tip: If both DKIM and SPF pass (and align), Microsoft gives priority to DKIM when evaluating DMARC. It's more resilient to relays and forwarding, and worth getting right first.
Quick fix: In the Microsoft 365 Defender portal, go to Defender portal → Email & collaboration → Policies & rules → Threat policies → DKIM and publish the required CNAME records (selector 1/2) to your public DNS zone.
2. SPF Record Confusion (and Breakage)
Your SPF record needs to include spf.protection.outlook.com, but that gets forgotten when third-party senders (like CRMs or marketing tools) are added. Worse, admins often overwrite their SPF record instead of appending, breaking Microsoft's alignment in the process.
Quick fix: Your SPF record should look like: v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com ~all (adding other services as needed). Never have multiple SPF records, combine them into one.
3. DMARC Visibility? What Visibility?
Microsoft doesn't provide native DMARC dashboards, alerts, or analytics. If you're not parsing aggregate reports (RUA) with a third-party tool, you're flying blind. You won't know what's working or failing until angry users start asking why email is bouncing.
Quick fix: Start with a basic DMARC policy like v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com to collect reports. Look for DMARC management solutions (ahem...like Ironscales DMARC Management) that give you human-readable reports without all the parsing headaches, because nobody has time to decode XML files manually.
Microsoft's New Enforcement Reality
Microsoft began enforcing DMARC on May 5, 2025 (see announcement here) for domains sending 5,000+ messages/day to consumer Microsoft addresses (Outlook.com, Hotmail, Live.com).
Previously, Microsoft used "oreject" (override reject), a legacy behavior where failing messages went to Junk folders even with p=reject policies. That passive approach is dead and buried.
Today's reality: If a message fails both SPF and DKIM authentication, Microsoft immediately rejects it with:
550 5.7.515 Access denied, sending domain [SendingDomain] does not meet the required authentication level.
The minimum bar: Microsoft requires at least p=none DMARC policy with SPF or DKIM alignment for bulk senders. If your authentication doesn't pass and align, your emails won't reach consumer Microsoft inboxes.
Note: 5,000 emails is easier to hit than you think: It's not just your marketing blasts. Count transactional emails (password resets, invoices), notification emails (alerts, reports), and emails sent by SaaS platforms on your behalf. A single campaign plus daily business operations can push you over the threshold.
4. SPF Lookup Limit Headaches
Microsoft's include statement (spf.protection.outlook.com) consumes several DNS lookups. Add a few more services, and you'll quickly hit the 10-lookup SPF limit. Suddenly, your perfectly valid sending sources are failing, and you're scrambling to flatten SPF records.
Huh? Did you ask "What's SPF Flattening"? I got you...
SPF flattening converts include: statements into direct IP address entries to reduce DNS lookups. Instead of your SPF record telling receiving servers to "go look up what IPs Salesforce uses," flattening lists those actual IP addresses directly in your record. It's a workaround for the 10-lookup limit that trades convenience for reduced DNS queries. If you want to learn more, we have a great in-depth article on SPF Flattening here.
How to flatten your SPF records manually:
- Identify your includes: List all
include: statements in your current SPF record
- Resolve each include: Use
nslookup or dig to find the actual IP addresses behind each include
dig txt spf.protection.outlook.com returns the IPs Microsoft usesdig txt _spf.salesforce.com shows Salesforce's current ranges
- Replace includes with IPs: Convert
include:_spf.salesforce.com to ip4:136.147.0.0/16 ip4:166.78.0.0/16 (example)
- Test your new record: Verify it doesn't exceed 10 lookups and validates correctly
The problem with this "fix"... IP addresses change, what works today breaks next month when a service updates their ranges.
The better approach...DMARC management services (like our service) automatically host and flatten your SPF records, updating IP ranges when providers change them, so you don't have to manually chase down every vendor's infrastructure changes.
5. SMTP Relay from Devices Causes Failures
Printers, scanners, and line-of-business apps that send email through Microsoft's SMTP server often fail SPF or DKIM. The fix? A properly authenticated connector and a licensed mailbox. But admins frequently miss this, and DMARC starts rejecting those messages.
Quick fix: Set up an application connector in Exchange Admin Center with proper authentication. Alternatively, use a service account with an assigned license and configure devices to authenticate via SMTP AUTH on port 587.
6. Shared Mailboxes Create Alignment Mysteries
Messages sent on behalf of shared or delegated mailboxes sometimes fail DKIM or SPF checks, even if technically valid. These quirks are hard to diagnose without deep header analysis, and they rarely show up until you move from monitoring to enforcement.
DMARC reminder: A message passes DMARC if either SPF or DKIM passes and aligns. Both don't need to work, just one. But if both fail, DMARC fails too.
Quick fix: Test shared mailbox scenarios during your p=none monitoring phase. Use message header analysis tools to verify that either SPF or DKIM shows "PASS" and proper alignment before moving to enforcement.
7. Subdomains Are an Easy Miss
DMARC applies to subdomains by default unless you override it. If your org uses alerts.company.com or events.company.com to send email, those need their own SPF/DKIM attention. Microsoft doesn't alert you to this (so it's easy to miss).
And if you're using strict alignment, a subdomain must match exactly. mail.example.com will not align with example.com.
Quick fix: Audit all subdomains that send email. Either configure SPF/DKIM for each subdomain, or create explicit DMARC policies for subdomains that don't send mail: v=DMARC1; p=reject;
8. DNS Delays and Bureaucracy Slow You Down
Implementing DMARC means frequent DNS updates, SPF, DKIM, DMARC, and even SPF flattening. But if your DNS is managed by a different team or a slow external provider, delays and change management friction can kill momentum fast.
Quick fix: Get DNS access or build a relationship with your DNS team early. Prepare all DNS changes in advance and batch them together. Consider automating DNS updates with an API-driven service if you have frequent changes.
9. No Support for Forensic (RUF) Reports
Microsoft 365 supports sending aggregate reports (RUA), but doesn't support forensic (RUF) reports that show you the actual content or headers of failed emails. If you're chasing down spoofing attempts or advanced threats, this is a major blind spot.
10. Fear of Breaking Email (and Getting Blamed)
The final move, from p=none to quarantine or reject is scary. Admins worry about blocking exec emails, invoices, or vendor replies. And let's be honest: when something breaks, the DMARC policy gets blamed before the real root cause is investigated.
It's like the reverse of "it's DNS, it's never DNS" except this time it's "it's DMARC, it's definitely DMARC" (even when it's actually a misconfigured connector or someone fat-fingering an SPF record).
Quick fix: Move gradually through policies (p=none → p=quarantine → p=reject) and use the pct= parameter to test with small percentages first (e.g., pct=10). Document your process and have a rollback plan ready. Seriously, document this stuff.
Yeah, so...that's my Top 10
DMARC isn't new, but Microsoft's enforcement posture makes it urgent, especially if you send bulk email to consumer Microsoft addresses (FWIW, I think they will be lowering that threshold from 5k to 2.5k or 1k sooner than folks think). The enforcement is live, and emails are already being rejected.
The TL;DR
- DKIM is not only kinda enabled by default in M365
- Microsoft now rejects failing DMARC (May 2025 update)
- SPF alignment is fragile if you hit the 10-lookup limit
- Visibility is key, p=none isn’t enough
- Forwarding, shared inboxes, devices = gotchas
The good news? You don't need to solve everything overnight. But you do need visibility, especially into which services are sending on your behalf and whether they pass and align.
Insert Shameless Plug Here
Of course, you can skip all the headaches (and my sketchy tips) by using our DMARC Protection service. We host your SPF, DKIM, DMARC, and BIMI records, flatten your SPF automatically, and you’ll never have to log into DNS again (or beg the DNS gatekeepers for “just one more change”).
You’ll also get real reporting like geo threat maps, dashboards, and forensics, not another pile of XMLs to decode.
You can learn more about it on our DMARC solution page, and you can take a self-guided product tour.
/Concentrix%20Case%20Study.webp?width=568&height=326&name=Concentrix%20Case%20Study.webp)
.webp?width=100&height=100&name=PXL_20220517_081122781%20(1).webp)
