DMARC Guide: Microsoft 365 and Google Workspace

Email is one of the most widely used and effective communication channels in the modern world. But it also faces many challenges and threats from cybercriminals who exploit this channel to launch phishing, spoofing, and spamming attacks. To combat this, many email services are implementing Domain-based Message Authentication, Reporting, and Conformance (DMARC) on sent emails. DMARC is a key component of email security strategy. It helps prevent phishing scams, spam, and other email security risks by allowing recipients to trust that messages came from the authenticated domain owner, not an impostor.

To benefit from this, senders also need to support DMARC, but setting it up correctly is not a trivial task. It requires careful configuration and monitoring of Domain Name System (DNS) records, alignment of Send Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) identifiers, testing of various DMARC policies, and analysis of DMARC reports.

Failing to properly set up DMARC on the sender side can result in legitimate emails being blocked or marked as spam, which can hurt email deliverability and performance. That’s why it is essential for organizations that rely on email communication to understand the benefits and challenges of DMARC and how to implement it properly.

DMARC is the first and only widely deployed technology that can make the “From:” header domain (what users see in their email clients) trustworthy. By using DMARC, domain owners can prevent their domains from being used in phishing or spoofing attacks that target their customers, employees, and partners.

This guide will cover how to set up DMARC for Microsoft 365 and Google Workspace email to work smoothly with the the Email Protection Service (EPS) of the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC^® and EI-ISAC^®).