Forum Discussion

Scott Brown's avatar
Scott Brown
Brass Contributor
Jan 16, 2019
Solved

Why doesn't O365 produce DMARC reporting?

Hi All,   We're working through DMARC for our org, and I'm trying to understand why O365 doesn't produce DMARC reporting for mail it receives - that can be consumed and analysed?   I've spoken to...
  • ChrisHoardMVP's avatar
    ChrisHoardMVP
    Jan 16, 2019

    Hi Scott,

    This has been asked for a very long time - I had customers as far back as 2012 asking for it when I started doing large scale migrations to Office 365. As expected there is a Uservoice open for it.

    https://office365.uservoice.com/forums/264636-general/suggestions/11094318-dmarc-aggregate-reports-from-o365-domains

    When Microsoft themselves implemented DMARC they used Agari for the reports. There was quite a well known blog series by Terry Zink on it at the time. Whilst they ended up introducing DKIM into the EOP service on top of SPF and began using DMARC - even to the point of instructing how to put together a DMARC record and tightening it over time, they never got involved in the reporting side of things. Agari was usually recommended for enterprise size clients whilst DMARCIAN was recommended for SMB.

    They never explained exactly they never got into DMARC reporting. I guess this is something to vote for on the Uservoice to try and push it to their attention. It would make complete sense - and even more to analyse that in Power BI.

    Hope I have answered your question.

    Best, Chris

ChrisHoardMVP's avatar
ChrisHoardMVP
MVP
Dec 04, 2019
Sure, it's been asked for a long time. There are multiple uservoices on it including this

https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/36016783-visibility-of-dmarc-reports

I can't give you any significant or pertinent reason why Microsoft have not pushed this more, especially considering they baked DKIM into the Exchange Admin Centre and SPF goes on in standard custom domain checks. I would like to see this functionality but have been asked about it since at least 2014 when CSP was first introduced - any probably longer! So whilst there are uservoices then I would say that's probably not going to be picked up anytime soon so you may also want to raise it at future AMA's, etc.

Best, Chris
Mark Penney's avatar
Mark Penney
Copper Contributor
Dec 04, 2019

ChrisHoardMVP 

 

This Uservoice is currently #7 in General... 

 

https://office365.uservoice.com/forums/264636-general/suggestions/11094318-dmarc-aggregate-reports-from-o365-domains

 

General is probably not the best place for it, but surely that should get it some attention?

 

I feel like a few high profile tech/security reporters need to write up a scathing article or 3 about about this to get some traction...

  • corneliusroemer-fwh's avatar
    corneliusroemer-fwh
    Copper Contributor
    Jan 23, 2020
    Ars Technica? Anyone know anyone there, or other similar blogs that may get read by people at Microsoft? Crazy stuff that an organisation that is so central to tech as a whole does not implement this simple report feature.