Forum Discussion
Why doesn't O365 produce DMARC reporting?
Hi Scott,
This has been asked for a very long time - I had customers as far back as 2012 asking for it when I started doing large scale migrations to Office 365. As expected there is a Uservoice open for it.
https://office365.uservoice.com/forums/264636-general/suggestions/11094318-dmarc-aggregate-reports-from-o365-domains
When Microsoft themselves implemented DMARC they used Agari for the reports. There was quite a well known blog series by Terry Zink on it at the time. Whilst they ended up introducing DKIM into the EOP service on top of SPF and began using DMARC - even to the point of instructing how to put together a DMARC record and tightening it over time, they never got involved in the reporting side of things. Agari was usually recommended for enterprise size clients whilst DMARCIAN was recommended for SMB.
They never explained exactly they never got into DMARC reporting. I guess this is something to vote for on the Uservoice to try and push it to their attention. It would make complete sense - and even more to analyse that in Power BI.
Hope I have answered your question.
Best, Chris
Valimail is a reporting tool (similar to something like Dmarcian), this doesn't address the issue of Microsoft not sending DMARC reports.
For example I run HelpScout as a help desk for one business, DKIM, SPF and DMARC are all configured. I can see that Google, Yahoo, etc. are receiving emails from Helpscout and they are passing and domain aligned. Great.
But then a customer tells me the emails are going to his junk folder, I check and he is on Office365...
I have no visibility from Microsoft servers if they are happy with the email authentication or not. I assume they are, but I have no idea. I also have no idea if anyone is trying to spoof our domain to Office365 users.
The same problem if I am helping other clients not on Office365 with their deliverability...
I just don't understand why Microsoft wouldn't comply with the DMARC reporting like all the othe big providers?
Mark Penney
"Valimail is a reporting tool (similar to something like Dmarcian), this doesn't address the issue of Microsoft not sending DMARC reports. "
This seems odd, as Microsoft promotes this service and Valimail says it completes O365. And their service is free specially for O365 customers!
Just made an account with them, waiting for any data to appear to the dashboard.
If this works, it tells that MS is letting the reports to certain partners, but not all. Then we might discuss about visibility and equality....
- Does anybody know of any updates to this thread with respect to Office365 sending out aggregate DMARC reports ?
dolce-anthonyhave you seen this - https://www.microsoft.com/security/blog/2021/09/01/get-free-dmarc-visibility-with-valimail-authenticate-and-microsoft-office-365/ "September 1, 2021 Get free DMARC visibility with Valimail Authenticate and Microsoft Office 365"
- Unfortunately this isn't quite what we are discussing here. The issues is that Microsoft as an ESP is not sending DMARC reports as per senders DMARC record. This is useful so you can tell if you are running into problems with authentication when sending to Microsoft, and to see if people are trying to spoof your domain sending to Microsoft.
What you are talking about is just MS365 customers and of limited scope.