< back to blog

Don't Forget About Your onmicrosoft.com Subdomain

April 4, 2024
Mail Providers


If you are a Microsoft customer using Office 365 and Exchange Online, you have an onmicrosoft.com subdomain. By default, it can be weaponised for email spoofing as there is no effective DMARC enforcement without intervention.

What is onmicrosoft.com?

Every Microsoft tenancy starts with an onmicrosoft.com subdomain, then you add the domains you own. This subdomain is also referred to as the Microsoft Online Email Routing Address (MOERA).

Why do I need to do this?

We have witnessed an uptick in scam emails being sent from MOERA subdomains, you may have observed this too.

The onmicrosoft.com parent domain does not have a _dmarc TXT record to dictate policy for subdomains. And Microsoft doesn't set up an explicit DMARC record on your subdomain by default either. This means that unless you configure a DMARC record for your complimentary (mandatory) onmicrosoft.com subdomain, it has no DMARC enforcement and can be abused.

Check out our post on how DMARC policy applies to subdomains

You may not send (or think you send) anything from your onmicrosoft.com domain, but without an enforcement DMARC policy it can be used for email spoofing attacks.

Didn't Microsoft setup this subdomain?

Yes, that’s why it’s easy to overlook, Microsoft manages its MX records, SPF records and DKIM records but they stop short at setting up a default DMARC record for the subdomain. In fact, the only DNS records you can manage for this subdomain are TXT records.

Ok, so what's the fix?

Since Microsoft control the SPF and DKIM records, you're fairly safe to just put in a quarantine policy, then move to reject if there are no issues.

Quick fix DNS record

  1. Go to https://admin.microsoft.com
  2. Select: Settings, Domains
  3. Select your .onmicrosoft.com Domain
  4. Select 'DNS Records'
  5. Enter the following and then press 'Save':

Type: TXT

TXT name: _dmarc

TXT value: v=DMARCv1; p=quarantine

TTL: 1 Hour

Our take

The vulnerability of not having a DMARC record on your onmicrosoft.com subdomain is real, and many organisations will just jump to the quick fix DNS record to get this gap closed.

If you’re like us and want to know if and where your onmicrosoft.com subdomains are being used, the solution is to also setup DMARC reporting (i.e. a rua= tag in the DMARC policy) - VerifyDMARC has generous domain limits to make this affordable.

DMARC reporting can provide useful insights when something goes wrong, you may detect a large number of messages being sent from your onmicrosoft.com subdomain indicating a user or Office 365 group has a misconfigured sender domain.

Staying secure

If you use VerifyDMARC as your reporting service, it shows the status of your DMARC records and you get visual feedback when these have a valid secure DMARC policy. This is a good way to ensure nothing is overlooked and draw attention to any potential future DNS misconfiguration.

Without a DMARC monitoring mechanism, you must check onmicrosoft.com subdomains regularly to ensure they have a valid DMARC record with an enforcement policy (p=quarantine or p=reject).


It is easy to overlook onmicrosoft.com subdomains, and malicious actors have got wise to this and are exploiting it. It is essential these domains are considered as part of your email security and DMARC strategy, so they don’t become a weak link. Using a tool like VerifyDMARC can help get these secured quickly and make sure they stay secure.

Update: North Korean Actors Exploit Weak DMARC Security

Update: North Korean Actors Exploit Weak DMARC Security

In response to a recent FBI, State Department, and NSA advisory, we highlight risks of weak DMARC security and offer actionable steps to protect your organisation, customers, and suppliers.

DMARC Protocol
Comprehensive & Cost-Effective DMARC for MSPs

Comprehensive & Cost-Effective DMARC for MSPs

The challenge of managing DMARC across multiple client domains has traditionally been a complex and costly affair. VerifyDMARC addresses this head-on by offering a unified, cost-effective solution.

Loose DMARC Policy: A Prime Target for TA427

Loose DMARC Policy: A Prime Target for TA427

Discover how North Korea-backed TA427 exploits weak DMARC policies to conduct sophisticated phishing attacks, and learn why strong DMARC enforcement is essential to protect your organisation's reputation.

DMARC Protocol