"If you use Microsoft 365 as your email solution, you don’t have to do anything to set up DMARC for incoming mail."

This isn't entirely true. Microsoft will not honor a DMARC reject policy for incoming mails. So malicious mails that fail DMARC might just end up in your inbox, junk or in quarantine. Also see https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#how-microsoft-365-handles-inbound-email-that-fails-dmarc

Improvements are on the way: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-protection-and-sender-dmarc-policies

But didn't see it yet in my tenant. It's a good idea to reject mails failing DMARC coming from a domain with a reject policy - by using the option in preview, or by enabling a custom mail flow rule.

Expand full comment

Need help setting up DMARC for your custom domain so you can utilize Microsoft 365's built-in DMARC protection? Visit the Microsoft Intelligent Security Association (MISA) catalog to view third-party vendors offering DMARC reporting for Microsoft 365: https://www.microsoft.com/misapartnercatalog?IntegratedProducts=DMARCReportingforOffice365

Expand full comment