If you are a Microsoft customer using Office 365 and Exchange Online, you have an onmicrosoft.com subdomain. By default, it can be weaponised for email spoofing as there is no effective DMARC enforcement without intervention.
Every Microsoft tenancy starts with an onmicrosoft.com subdomain, then you add the domains you own. This subdomain is also referred to as the Microsoft Online Email Routing Address (MOERA).
We have witnessed an uptick in scam emails being sent from MOERA subdomains, you may have observed this too.
The onmicrosoft.com parent domain does not have a _dmarc TXT record to dictate policy for subdomains. And Microsoft doesn't set up an explicit DMARC record on your subdomain by default either. This means that unless you configure a DMARC record for your complimentary (mandatory) onmicrosoft.com subdomain, it has no DMARC enforcement and can be abused.
Check out our post on how DMARC policy applies to subdomains
You may not send (or think you send) anything from your onmicrosoft.com domain, but without an enforcement DMARC policy it can be used for email spoofing attacks.
Yes, that’s why it’s easy to forget, Microsoft manages its MX records, SPF records and DKIM records but they stop short at setting up a default DMARC record for the subdomain. In fact, the only DNS records you can manage for this subdomain are TXT records.
Since Microsoft control the SPF and DKIM records, you're fairly safe to just put in a quarantine policy, then move to reject if there are no issues.
Type: TXT
TXT name: _dmarc
TXT value: v=DMARCv1; p=quarantine
TTL: 1 Hour
The vulnerability of not having a DMARC record on your onmicrosoft.com subdomain is real, and many organisations will just jump to the quick fix DNS record to get this gap closed.
If you’re like us and want to know if and where your onmicrosoft.com subdomains are being used, the solution is to also setup DMARC reporting (i.e. a rua= tag in the DMARC policy) - VerifyDMARC has generous domain limits to make this affordable.
DMARC reporting can provide useful insights when something goes wrong, you may detect a large number of messages being sent from your onmicrosoft.com subdomain indicating a user or Office 365 group has a misconfigured sender domain.
If you use VerifyDMARC as your reporting service, it shows the status of your DMARC records and you get visual feedback when these have a valid secure DMARC policy. This is a good way to ensure nothing is overlooked and draw attention to any potential future DNS misconfiguration.
Without a DMARC monitoring mechanism, you must check onmicrosoft.com subdomains regularly to ensure they have a valid DMARC record with an enforcement policy (p=quarantine or p=reject).
It is easy to overlook onmicrosoft.com subdomains, and malicious actors have got wise to this and are exploiting it. It is essential these domains are considered as part of your email security and DMARC strategy, so they don’t become a weak link. Using a tool like VerifyDMARC can help get these secured quickly and make sure they stay secure.
Learn how to stop email spoofing and improve delivery of order confirmations with DMARC. Implementation guide for Shopify, WooCommerce and Adobe Marketo.
Even with p=none, DMARC without report monitoring is like driving blindfolded. Mail servers still check authentication, impacting your deliverability.
VerifyDMARC now offers SMTP TLS Reporting capabilities, enabling monitoring of MTA-STS and DANE policy performance for improved email transport security.