Forum Discussion
Why doesn't O365 produce DMARC reporting?
- Jan 16, 2019
Hi Scott,
This has been asked for a very long time - I had customers as far back as 2012 asking for it when I started doing large scale migrations to Office 365. As expected there is a Uservoice open for it.
https://office365.uservoice.com/forums/264636-general/suggestions/11094318-dmarc-aggregate-reports-from-o365-domains
When Microsoft themselves implemented DMARC they used Agari for the reports. There was quite a well known blog series by Terry Zink on it at the time. Whilst they ended up introducing DKIM into the EOP service on top of SPF and began using DMARC - even to the point of instructing how to put together a DMARC record and tightening it over time, they never got involved in the reporting side of things. Agari was usually recommended for enterprise size clients whilst DMARCIAN was recommended for SMB.
They never explained exactly they never got into DMARC reporting. I guess this is something to vote for on the Uservoice to try and push it to their attention. It would make complete sense - and even more to analyse that in Power BI.
Hope I have answered your question.
Best, Chris
Maybe there's an internal disagreement about how to describe DKIM failures on reports?
On normal dmarc reports, Microsoft's default dkim signing approach for O365 would look problematic. However, their default dkim approach seems to work well for O365 clients who are just emailing other O365 clients (as long as the mail doesn't have to go through a 3rd party spam filter along the way).
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide