My cloud email provider supports DMARC. Do we still need to implement it?


Many of the of the cloud email providers are or have started to provide DMARC support.  However, they only provide support for DMARC on the receiving side.  Meaning, that they are enabling DMARC verification for their users (G-Suite, O365, gmail, hotmail,, etc).   DMARC Verification is used to check all incoming message for a DMARC policy.  So if a message from to (which has DMARC verification enabled), the mail gateways at will check the DNS of for a DMARC policy.

Your organization will need to implement a DMARC policy.  It’s the DMARC policy that is protecting your domain (along with SPF and DKIM).

The reason for cloud email providers do not create DMARC policies is because:

  • They do not have access to your domain’s DNS.
  • They do not want to impact messages are being sent.  If they set the DMARC policy to reject, there is a chance legitimate messages will be blocked due to incorrect configurations.  Additionally, the cloud service providers are not aware of what other services you may be using to send messages.
  • They do not know where to send the reports to.

Guides and Resources

If your organization is using Google’s mail servers, then use the follow guides:

If your organization is using Office 365, then use the follow guides:

If your organization is using Protonmail, then use the follow guides:

For other systems, please use this resource guide: