Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders.
In this article we are referring to DMARC article from Microsoft to understand the steps needed for setting up DMARC for Outbound mail from Microsoft 365.
When using an onmicrosoft.com subdomain
As per the Microsoft article, when using an onmicrosoft.com subdomain, the DKIM and SPF records are automatically set up. However, the DMARC policy is not automatically created. Unfortunately, the DMARC policy is the one that governs what to do with the results of the DKIM and SPF checks.
As an example, the SPF check fails in the spoofed email:
ARC-Authentication-Results: i=1; mx.google.com;
spf=fail (google.com: domain of email@example.com does not designate xx.xx.xxx.xx as permitted sender) firstname.lastname@example.org
However because there's no DMARC policy set, the recipient is never warned of this.
To set up DMARC for your organization, you need to Form the DMARC TXT record for the onmicrosoft.com domain and publish it to DNS via Office 365 Admin Center > Settings > Domains > click on onmicrosoft.com domain > Add record.
When using Custom Domain
If you have a custom domain or are using on-premises Exchange servers along with Microsoft 365, you need to manually set up DMARC for your outbound mail. Setting up DMARC for your custom domain includes these steps:
Please refer to the Microsoft Article "Use DMARC to validate email" for further details.