Forum Discussion

Scott Brown's avatar
Scott Brown
Brass Contributor
Jan 16, 2019

Why doesn't O365 produce DMARC reporting?

Hi All,   We're working through DMARC for our org, and I'm trying to understand why O365 doesn't produce DMARC reporting for mail it receives - that can be consumed and analysed?   I've spoken to...
  • ChrisHoardMVP's avatar
    ChrisHoardMVP
    Jan 16, 2019

    Hi Scott,

    This has been asked for a very long time - I had customers as far back as 2012 asking for it when I started doing large scale migrations to Office 365. As expected there is a Uservoice open for it.

    https://office365.uservoice.com/forums/264636-general/suggestions/11094318-dmarc-aggregate-reports-from-o365-domains

    When Microsoft themselves implemented DMARC they used Agari for the reports. There was quite a well known blog series by Terry Zink on it at the time. Whilst they ended up introducing DKIM into the EOP service on top of SPF and began using DMARC - even to the point of instructing how to put together a DMARC record and tightening it over time, they never got involved in the reporting side of things. Agari was usually recommended for enterprise size clients whilst DMARCIAN was recommended for SMB.

    They never explained exactly they never got into DMARC reporting. I guess this is something to vote for on the Uservoice to try and push it to their attention. It would make complete sense - and even more to analyse that in Power BI.

    Hope I have answered your question.

    Best, Chris

PerttiS's avatar
PerttiS
Copper Contributor

Mark Penney 
"Valimail is a reporting tool (similar to something like Dmarcian), this doesn't address the issue of Microsoft not sending DMARC reports. "
This seems odd, as Microsoft promotes this service and Valimail says it completes O365. And their service is free specially for O365 customers!
Just made an account with them, waiting for any data to appear to the dashboard. 
If this works, it tells that MS is letting the reports to certain partners, but not all. Then we might discuss about visibility and equality....

dolce-anthony's avatar
dolce-anthony
Copper Contributor
Jan 12, 2022
Does anybody know of any updates to this thread with respect to Office365 sending out aggregate DMARC reports ?
  • dolce-anthony's avatar
    dolce-anthony
    Copper Contributor
    Jan 13, 2022
    I sent a private message to somebody at Microsoft and they also responded with this same link which made me wonder if office365 is sending aggregate reports to valimail but not other aggregate vendors like Mxtoolbox which we use.
  • Mark Penney's avatar
    Mark Penney
    Copper Contributor
    Jan 13, 2022
    Unfortunately this isn't quite what we are discussing here. The issues is that Microsoft as an ESP is not sending DMARC reports as per senders DMARC record. This is useful so you can tell if you are running into problems with authentication when sending to Microsoft, and to see if people are trying to spoof your domain sending to Microsoft.

    What you are talking about is just MS365 customers and of limited scope.
  • John_Naab's avatar
    John_Naab
    Copper Contributor
    May 21, 2024

    Mark Penney / Scott Brown 

    Valimail offers a free reporting service to any M365 customer which provides excellent visibility into your current DMARC posture (reference this June 3, 2019 Microsoft Cloud security guest blog post  as well as this Valimail DMARC visibility is free with Valimail Monitor page). 

     

    With a paid Valimail Enforce license, you can gain DMARC insights for mail received by your Exchange Online tenant by enabling the Valimail Mailbox Connector to at least partially overcome the shortcomings of Microsoft not generating DMARC reporting data in the normal manner. While it would be best to have DMARC reporting from all M365 recipients, this does give you visibility into mail received by your own tenant(s). 

     

    [DISCLAIMER: I have utilized the free Valimail Monitor DMARC reporting tool in my own (personal) tenant for many years, as well as set it up for several small non-profit organizations I have worked with, to help them get to DMARC enforcement. We also enabled Valimail Monitor for my employer's tenant when our previous provider (250ok) was acquired and have now moved to the full paid Valimail Monitor platform. We've been very happy with Valimail, but there are many options in this space. Try them. Pick the one that is best for you. Implement it. Get to enforcement (p=quarantine or p=reject). Monitor those reports regularly. It is now essential that legitimate email be fully authenticated using both SPF and DKIM with DMARC domain alignment to even ensure delivery. With a little more work you can improve the odds messages land in the recipient Inbox (rather than Junk or be rejected outright). Invest the time (and money). It's worth it to help protect your users, customers, and partners from spoofed phishing/malware attacks. It is essential if you want to take advantage of BIMI. Good luck!]

  • vauman's avatar
    vauman
    Copper Contributor
    Sep 25, 2024

    John_Naab, I'm afraid you fell into the same trap as many others in this thread.

    You said "Monitor those reports regularly." Which providers are sending you forensic reports? Not O365! (nor hardly anyone else 😞)