DMARC O365 non sending domains reject policy?

Questions about DMARC policies on additional domains in my O365 account that are not configured for sending.

Is the best practice to set the non-sending domains to Reject in DMARC? And primary (ie sending domain to none with goal to move to Quarantine or reject over time).

Scenario:
Main corporate domain email is tied to: www.maincorp[dot com]
Email: [email protected][dot com]
Configured for DKIM, SPF and DMARC set to none with reporting.

We then have 10-15 additional domain names configured in O365.
That said, we do not send from any of the additional but a few receive

Example
Add Domain: www.main-corp[dot com]com
(email set as alias to primary email: [email protected][dot com] really resolves to [email protected][dotcom])

Add Domain: www.maincorpUSA[dot com]
ETC

Currently all additional domains have same DMARC policy of None and reporting email and we get a few reports of spoofed emails from some of the non-sending domains.

Is the best practice to set the non-sending domains to Reject in DMARC?

Welcome to the Cloudflare Community.

Configuring DNS records that communicate to recipients that certain domains should never send email is a good practice to employ. Here is a Cloudflare resource and a third party guide that are relevant to your question.

https://www.cloudflare.com/learning/dns/dns-records/protect-domains-without-email/

Thx Epic Network, will get eyes on that.
Cheers!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.