MT.1182 - Entra managed and verified domains should have mature DMARC policy (p=reject, pct=100).
Overviewβ
A DMARC policy SHALL be published with reject policy for every verified and managed domain in the Entra tenent.
Rationale: Without a DMARC policy available for each domain, recipients may improperly handle SPF and DKIM failures, possibly enabling spoofed emails to reach end users' mailboxes. Publishing DMARC records protects the domains and all subdomains.
reject policy with pct=100 is the recommended policy value that should be set after some time and results in a passed test.
Any policy with pct < 100 or quarantine will result in a "Low" severity fail.
none results in a failed test with "Medium" severity, assuming that only fully missing DMARC entry results in a "High" severity.
Remediation action:β
DMARC is not configured directly through the Microsoft Admin Center, but rather via DNS records hosted by the agency's domain. As such, implementation varies depending on how an agency manages its DNS records. See Form the DMARC TXT record for your domain | Microsoft Learn for Microsoft guidance.
A DMARC record published at the second-level domain will protect all subdomains. In other words, a DMARC record published for example.com will protect both a.example.com and b.example.com, but a separate record would need to be published for c.example.gov.
To test your DMARC configuration, consider using one of many publicly available web-based tools. Additionally, DMARC records can be requested using the PowerShell tool Resolve-DnsName. For example:
Resolve-DnsName _dmarc.example.com txt
If DMARC is configured, a response resembling v=DMARC1; p=reject; pct=100; rua=mailto:[email protected], mailto:[email protected]; ruf=mailto:[email protected] will be returned, though by necessity, the contents of the record will vary by agency. In this example, the policy indicates all emails failing the SPF/DKIM checks are to be rejected and aggregate reports sent to [email protected] and [email protected]. Failure reports will be sent to [email protected].
Related linksβ
- Microsoft Learn - Set up DMARC
- NSCS.gov - Protect Parked Domains
- CISA 4 Domain-Based Message Authentication, Reporting, and Conformance (DMARC) - MS.EXO.4.1v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1182 |
| Severity | Unknown |
| Suite | Maester |
| Category | Entra |
| PowerShell test | Test-MtDomainsDmarcRecordMaturity |
| Tags | Entra, Maester, MT.1182 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-MtDomainsDmarcRecordMaturity.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtDomainsDmarcRecordMaturity.ps1