Office 365 + DMARC: Best Practices for Protecting Your Company & Customers From Phishing Attacks

In 2021, Gartner includes DMARC, or known by its full name as Domain-based Message Authentication, Reporting & Conformance, in its list of top 10 security projects. With very few exceptions, the best way for organizations to prevent getting impersonated in email attacks is to integrate DMARC into their Office 365-based email ecosystems.

To understand why, let’s consider the benefits of deploying DMARC within Office 365 environments, and tips for success when deploying DMARC for your organization.

Outbound Email: Why O365 is Better with DMARC

CISCO’s 2021 Cybersecurity Threat Trends report suggested phishing accounts for around 90% of data breaches. And when these scams contribute to a data breach, the cost to US businesses now averages $4.35 million in 2022 per incident, up 2.6% from 2021 according to IBM’s latest Cost of a Data Breach report.

DMARC is designed to prevent that. DMARC is an email authentication standard that works as a policy layer for Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to help email receiving systems recognize when an email hasn’t been authorized by the company owning the “From:” header domain. DMARC provides instructions to email receiving systems on how to safely dispose of these unauthorized messages.

Its most aggressive enforcement policy is reject (p=reject), which means that email messages that do not pass DMARC authentication will be blocked from ever reaching their intended recipients. Less rigid policy settings include quarantine (p=quarantine), which places those emails in the spam folder, and monitor only (p=none), which allows organizations to monitor how their domain is being spoofed by themselves, but does not protect the recipients of those emails.

DMARC is already part of the robust security controls built into O365, so you have ample protection against most inbound phishing and spam attacks. In fact, you don’t have to do anything to implement DMARC for email that you receive within Office 365. What’s more, if you don’t use a custom domain for outbound email, but instead use the standard onmicrosoft.com subdomain, you don’t need to do anything else to configure or implement DMARC on your Office 365 tenant.

However, if you have configured your Office 365 tenant to use a custom domain (ex: yourcompany.com), or if you use any third parties to send a portion of your email, such as SendGrid, MailChimp, Salesforce, Marketo or others, you’ll want to implement DMARC yourself. But how do you get started on DMARC in your Office 365 environment? Agari shares some good practices, even better practices, and the best thing you can do to get the most out of your DMARC deployment.

How to Set Up DMARC for Office 365

Agari recommends a multi-step plan for DMARC implementation. Execution for each step should start with a single subdomain, then proceed to other subdomains, and finally finish with the top-level domain in the organization, before moving to the next step.

• Step 1: Create a DMARC Record. Agari’s DMARC Setup Tool will allow you to easily create the required TXT record. It should look something like this example: V=DMARC1; p=none; rua=mailto:dmarc-feedback@

[This example record instructs receiver systems to generate and send aggregate feedback to “dmarc-feedback@” your domain. The p=none tag indicates you are only interested in collecting feedback. Alternatively, you could use p=quarantine, or p=reject tags for emails that fail authentication.]

• Step 2: In your DNS, follow these DMARC setup steps to create a DNS TXT record. Log into the management console of your DNS hosting provider, and while this can vary by provider, you want to locate the page that allows you to add a DNS TXT record.
• Step 3: In the Type box, select “TXT Record Type”.
• Step 4: In the Host Value box, enter _dmarc as the “host”.
• Step 5: In the TXT Value box, enter the record you created using the DMARC Record Creator.
• Step 6: Save the DMARC record.
• Step 7: Validate the DMARC setup. You can use Agari’s DMARC Setup Tool to verify that DMARC has been set up correctly.

Good: Employ Best Practices When Deploying DMARC for Office 365

Using a phased deployment when implementing DMARC is safer and ensures that you don’t impact the rest of your email flow, especially for large companies with a large number of domains spanning divisions, departments, and third-party senders. Agari’s best practices for implementing DMARC include:

1. Monitor the impact first. For large organizations setting up DMARC on numerous domains, we advise starting with a simple monitoring-mode record. A monitoring-mode record is a DMARC TXT record that has its policy set to p=none. Many companies publish a DMARC TXT record this way because they’re unsure about how much email they may lose by publishing a more restrictive DMARC policy, and this allows them to monitor the impact before making edits.
    
2. Include SPF and DKIM standards in your plans. Remember that you won’t be able to safely quarantine or reject mail with DMARC unless you implement SPF and DKIM on all legitimate sources of email. Your DMARC reports will show you all of the hosts sending email on behalf of your domain. Once you have successfully implemented SPF and DKIM on the legitimate mail sources, the fraudulent messages will be conspicuous because they will fail DMARC and will originate from servers that don’t belong to you or any of your authorized senders.
    
3. Request that external mail systems quarantine any mail that fails DMARC. When you believe that most of your legitimate traffic is protected by SPF and DKIM and you understand the impact of implementing DMARC, you can implement a quarantine policy. By doing this, you are asking DMARC receivers to put messages from your domain that fail DMARC into the local equivalent of a spam folder instead of your customers’ inboxes.
    
4. Dictate that external mail systems don’t accept messages that fail DMARC. When you feel confident that your legitimate mail is fully authenticated, the final step is implementing a reject policy. When you do this, you’re asking DMARC receivers not to accept messages that fail the DMARC checks. This is the final and most effective way to secure your domain, as it prevents any illegitimate emails from reaching your end users.

When implementing DMARC for multiple domains, it’s important to remember that DMARC records are hierarchical. This can be useful, as you may be able to specify a smaller number of high-level DMARC records for wider coverage. However, care should be taken when configuring explicit subdomain DMARC records where you do not want the subdomains to inherit the top-level domain’s DMARC record.

Better: Use the DMARC Solution Microsoft Trusts

While deploying DMARC on a single domain is relatively simple, a large-scale implementation is fraught with complexity. Given that Agari was at the helm of the birth of the DMARC standard (our founder was one of its original authors!), Agari pioneered DMARC deployments, and has driven scale and efficiency in implementations for our customers, including many Global 2000 companies!

That’s why you might want to consider a solution like Agari DMARC Protection, which simplifies the challenges associated with implementing DMARC in Office 365-based email environments and has been shown to drive spoofed messages from your domain to near-zero levels almost instantly. In fact, Microsoft selected Agari to protect its own email, and what could be better than the product Microsoft trusts itself to protect a brand estimated to be worth hundreds of billions of dollars?

Best: Deploy Azure Sentinel and Microsoft Graph Security API with Agari

As fraud actors continue to refine evasion and obfuscation techniques, enterprises can no longer depend on siloed and fragmented point products to effectively protect their employees, customers, suppliers, and partners. Azure Sentinel, the world’s first cloud-native SIEM/SOAR/UEBA platform from a major cloud service provider, is at the forefront of a secular trend of consolidation and integration into the cybersecurity stack.

DMARC is not an island, but rather a critical component of an integrated security strategy. Agari DMARC Protection, along with two other solutions from Agari, integrates seamlessly with Azure Sentinel to share threat intelligence. Cloud Email Protection is a highly specialized, complementary solution to Defender for Office 365 that uses ML/AI techniques to detect and remediate sophisticated identity-based threats, such as spear phishing, business email compromise (BEC), vendor email compromise (VEC) and account takeover-based attacks. Additionally, Agari Phishing Response is a turnkey solution that automates the process of phishing response, remediation, and breach containment.

In addition, Agari’s specialized Data Connector for Sentinel allows customers to ingest logs from Agari DMARC Protection and Cloud Email Protection to detect, correlate, and remediate threats more effectively. The data connector comes with sample queries that inform the creation of additional Azure Sentinel analytics, workbooks, and workflows around insights such as attack types, policy hits, and the most attacked users. In addition, customers using the federated model of Microsoft Graph Security API can benefit from investigation IOCs shared by Agari Phishing Response and malicious domains or URLs reported by Agari DMARC Protection in their quest to triage and isolate threats more effectively.

In summary, an integrated security architecture that encompasses Agari solutions with Defender for Office 365, Azure Sentinel, and Microsoft Graph Security API allows organizations to leverage the rich visibility from email security as the first line of defense to reduce attack surface, strengthen core defenses, and enhance overall security posture.