A properly created DMARC record works in conjunction with other features to help prevent impersonated messages from being delivered to your users. Before creating the DMARC record for a tenant domain, a proper SPF record MUST BE PUBLISHED and preferably DKIM records are also published.
for information on how to configure an SPF record.
In the examples below domain is the client's domain that contains a working SPF record (i.e. protectedtrust.com), and email@example.com should be the atp@domain shared mailbox that has already been created in a tenant's organization. By setting a rua address (Report URI Aggregate) we're specifying a location where reports of DMARC failures will be sent. An alternative is setting a ruf address (Report URI Forensic) which will collect detailed reports for each message that fails (this is a lot of detail that we probably don't need).
This record will instruct to notify the atp@ address rather than quarantine (recommended for testing):
TXT: _dmarc.domain 3600 IN TXT “v=DMARC1;p=none;rua=mailto:firstname.lastname@example.org”
The following record will instruct to quarantine messages:
TXT: _dmarc. domain 3600 IN TXT “v=DMARC1; p=quarantine”
Dmarc record Format