Protect your domain with DMARC

When you installed your O365 tenant, maybe you forgot about it if it's been a while, Microsoft reserved a domain for you : 

  • (MOERA - Microsoft Online Email Routing Address).

For instance at Oppidum Security :

Your users can therefore receive e-mails on their addresses:

broken image

However, you probably don't use this domain to send email. Nevertheless, just like your defensive domains, you can protect it with DMARC by setting up a DMARC record:

  1. Open the Microsoft 365 admin center at
  2. On the left-hand navigation, select Show All.
  3. Expand Settings and press Domains.
  4. Select your tenant domain (for example,
  5. On the page that loads, select DNS records.
  6. Select + Add record.
  7. A flyout will appear on the right. Ensure that the selected Type is TXT (Text).
  8. Add _dmarc as TXT name.
  9. Add your specific DMARC value.
  10. Press Save.

For example, to monitor and protect our domain against spoofing of its email addresses, below is the DMARC record we have configured :

broken image

After the DMARC policy has been set to restrictive mode, an email spoofing a address is automatically sent to the spam folder of our collaborators (other actions are possible like rejecting the email)

broken image
broken image