When you installed your O365 tenant, maybe you forgot about it if it's been a while, Microsoft reserved a domain for you : 

• xxxx.onmicrosoft.com (MOERA - Microsoft Online Email Routing Address).

For instance at Oppidum Security : oppidumsecurity.onmicrosoft.com

Your users can therefore receive e-mails on their addresses:

However, you probably don't use this domain to send email. Nevertheless, just like your defensive domains, you can protect it with DMARC by setting up a DMARC record:

1. Open the Microsoft 365 admin center at https://admin.microsoft.com.
2. On the left-hand navigation, select Show All.
3. Expand Settings and press Domains.
4. Select your tenant domain (for example, contoso.onmicrosoft.com).
5. On the page that loads, select DNS records.
6. Select + Add record.
7. A flyout will appear on the right. Ensure that the selected Type is TXT (Text).
8. Add _dmarc as TXT name.
9. Add your specific DMARC value.
10. Press Save.

For example, to monitor and protect our domain oppidumsecurity.onmicrosoft.com against spoofing of its email addresses, below is the DMARC record we have configured :

After the DMARC policy has been set to restrictive mode, an email spoofing a xx@oppidumsecurity.com address is automatically sent to the spam folder of our collaborators (other actions are possible like rejecting the email)