Skip to main content

DMARC records for Microsoft email accounts

How to set up a DMARC record to improve email deliverability for Microsoft email accounts

Written by Trevor

Microsoft requires high-volume senders to authenticate their mail with SPF, DKIM, and DMARC records. Even if you send far less than that, adding a DMARC record protects your domain's reputation and helps your emails land in the inbox instead of the spam folder.


Microsoft email authentication overview

Microsoft requires high-volume senders (those sending more than 5,000 emails per day) to comply with three email authentication protocols:

  • SPF (Sender Policy Framework): must pass for the sending domain

  • DKIM (DomainKeys Identified Mail): must pass to validate email integrity

  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): must be set to at least p=none and align with either SPF or DKIM

Non-compliant messages from high-volume senders are rejected with the error: 550; 5.7.515 Access denied, sending domain [SendingDomain] does not meet the required authentication level.

This article focuses on DMARC. For SPF and DKIM, see how to set up SPF and DKIM records.

These requirements primarily target high-volume senders, but the underlying practices benefit every sender by improving deliverability and protecting your domain's reputation.


Understanding DMARC

DMARC builds on SPF and DKIM to add another layer of email authentication. If you haven't set those up yet, see how to set up SPF and DKIM records first. Where SPF and DKIM verify that a message is authorized to be sent from your domain, DMARC tells receiving email servers what to do when a message fails those authentication checks.

A DMARC record includes a policy set to one of three values:

  • p=none: monitor only, so mail is still delivered normally, but reports are generated

  • p=quarantine: suspicious mail is sent to spam or junk folders

  • p=reject: failing mail is rejected entirely


Setting up your DMARC record

DMARC records are added to your domain's DNS settings as a TXT record, at your domain registrar or DNS provider, not in Dubsado. The basic format is:

  • Name/Host: _dmarc.yourdomain.com

  • Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

DMARC is configured entirely at your domain registrar or DNS provider. Dubsado doesn't host DMARC records, and there's no DMARC setting inside Dubsado.

DMARC policy recommendations

Roll out DMARC gradually so you don't risk your own mail delivery while you get authentication right.

  • Start with p=none: begin with a monitoring-only policy so you can understand your sending patterns without affecting delivery.

  • Gradually increase strictness: once you've confirmed your legitimate email sources are properly authenticated, move to p=quarantine and eventually p=reject for stronger protection.

  • Include reporting: the rua parameter sets where aggregate reports are sent. These reports show you who's sending mail from your domain and help you spot potential security issues.

DMARC alignment

For DMARC to pass, the "From" domain in your email must align with the domain used by either SPF or DKIM, preferably both. This alignment stops bad actors from exploiting your domain name even if they manage to pass SPF or DKIM checks on their own.


Additional best practices

Beyond DMARC, Microsoft recommends a few broader sending practices:

  • Use compliant sender addresses that can receive replies

  • Provide functional unsubscribe links for marketing emails

  • Regularly remove invalid email addresses from your lists

  • Use accurate subject lines and transparent mailing practices

For questions specific to configuring DNS records, contact your domain registrar or DNS provider. For help with email deliverability in Dubsado, reach out to Customer Care.


FAQ

Do I need to set up DMARC if I send fewer than 5,000 emails per day?

Microsoft's enforcement currently targets only high-volume senders (5,000+ emails per day), but DMARC is worth setting up no matter your volume. It improves deliverability and reputation, protects against domain spoofing and phishing, builds credibility with email providers, and prepares your domain for any future requirements. Most Dubsado users send well below the daily threshold, but a basic p=none record is a simple, low-risk step.

Did this answer your question?