Microsoft & Sendmarc - How the platforms complement each other
One of the common questions that customers will ask us as they begin to dive into DMARC is something along the lines of "if Microsoft does DMARC, why do I need Sendmarc?".
This article seeks to answer this question in two simple ways: firstly, by highlighting the areas in which Microsoft is involved in DMARC (i.e. explaining what is meant by the statement that Microsoft 'does DMARC'), and secondly, by underscoring the areas where Microsoft's platform and services do not solve DMARC-related issues.
Microsoft's role in the DMARC ecosystem
As per recent announcements, Microsoft has two primary roles in the DMARC ecosystem:
- Send Reports: Microsoft sends aggregate DMARC reports for domains whose MX record points to Microsoft infrastructure. This is incredibly powerful as it allows users of DMARC to see mail volume that is sent to Microsoft-owned infrastructure.
- Enforce DMARC: Microsoft uses DMARC and related standards (namely, SPF and DKIM) as part of their impersonation protection processes, effectively using these standards as inbound DNS authentication. This is a very important and powerful measure taken by Microsoft in protecting users of their platform against impersonation. This will secure your domain against inbound threats.
Given the above, it's accurate to say that Microsoft has a big role to play in the DMARC ecosystem - they have the ability to reject mails that fail DMARC evaluations when the domain owners instruct them to, and they inform those domain owners of mail received by their infrastructure.
However, the journey to DMARC compliance requires more than simply these two roles for the domain owner. Put another way, the two roles that Microsoft plays are required, but not sufficient, for a domain owner to achieve DMARC compliance.
The role of Sendmarc in the DMARC ecosystem
Sendmarc complements the work that Microsoft plays in two ways:
- Reporting: The Sendmarc platform gathers and enriches DMARC data sent to it, not only by Microsoft, but by thousands of receivers of mail around the planet. Microsoft does not provide its customers a platform to see all the DMARC data generated by the domain, and by virtue of that, does not enrich or visualize this data.
- Configuration: While Microsoft will honor DMARC, SPF and DKIM, it is up to the domain owner (with the help of a platform like Sendmarc) to ensure that these standards are configured correctly. Failure to do so will result in Microsoft rejecting legitimate mail, causing delivery issues. In other words, while Microsoft will be rejecting mails that fail DMARC, it's up to the domain owner to ensure that their domain has the instructions for Microsoft to be able to do so.
Thus, while Microsoft's role in DMARC is critical in securing your organization against inbound threats, a complete journey to DMARC protection requires more. It requires that you interpret reports sent not only from Microsoft, but from all providers; it requires that you take action and configure all platforms (not just Microsoft) to be DMARC compliant; and perhaps most importantly of all, it requires that you have a complete set of DMARC, SPF and DKIM records so that Microsoft can protect you against all threats.