DMARC recordLast Updated: October 18, 2019
A properly created DMARC record works in conjunction with other features to help prevent impersonated messages from being delivered to your users. Before creating the DMARC record for a tenant domain, a proper SPF record MUST BE PUBLISHED and preferably DKIM records are also published.
In the examples below domain is the client's domain that contains a working SPF record (i.e. protectedtrust.com), and email@example.com should be the atp@domain shared mailbox that has already been created in a tenant's organization. By setting a rua address (Report URI Aggregate) we're specifying a location where reports of DMARC failures will be sent. An alternative is setting a ruf address (Report URI Forensic) which will collect detailed reports for each message that fails (this is a lot of detail that we probably don't need).
This record will instruct to notify the atp@ address rather than quarantine (recommended for testing):
TXT: _dmarc.domain 3600 IN TXT “v=DMARC1;p=none;rua=mailto:firstname.lastname@example.org”
TXT: _dmarc. domain 3600 IN TXT “v=DMARC1; p=quarantine”