By default Office 365 DMARC validation for internet emails that fails for policy P=Reject will make the email to land in junk folder of the recipient mailbox. Microsoft 365 will treat DMARC policies of quarantine and reject in the same way, which means that if the sender’s DMARC policy is set to reject or quarantine, the emails that fail DMARC will be sent to the junk folder of the recipient mailbox which is by design as of now and can be found in the Microsoft Article.
Microsoft believes that the main agenda of doing this is to ensure that any legitimate emails which misses in DMARC alignment shouldn’t be lost and its better either to quarantine them or to get them delivered recipient’s junk mail folder. There are few cases wherein few organizations would still need the DMARC policy to be stringent due to their security regulations.
Microsoft validates DMARC and overrides the failure with a header value for a domain whose DMARC TXT record has a policy of p=reject oreject. Instead of deleting or rejecting the message, Office 365 marks the message as spam.
To test it further we are publishing SPF, DKIM and DMARC record for the domain ezcloudinfo.com as below:
SPF record: Adding only Exchange online as authorized sender.
DKIM Record: Having the Signing key only for office 365
DMARC Record: Having strict policy of P=reject
For a successful email from a legitimate sender where it has passed spf, dkim & dmarc we see the below value for DMARC.
Now we are triggering an email from a registered mailchimp account for ezcloudinfo.com where we do not have the SPF and DKIM records added in our DNS records.
The email from mailchimp from sender address email@example.com gets landed in junk email.
We can see the header value of above email and the DMARC validation is failed.
A workaround can be accomplished by creating a Transport Rule to reject the emails that fails with the DMARC validation.
Create a Transport Rule:
Include the below value oreject or action=oreject or dmarc=fail in the message header include option.
Reject the message with the custom status code.
Now if we send a test email after this transport rule from an unauthorized sender the email will be rejected and could see the below NDR message.
So after this transport rule any spoof emails that are coming from a domain that is DMARC protected will not be delivered to the spam folder. They will all be rejected and never reach the recipient.This workaround can be beneficial for organizations where they need to strictly adhere with the RFC standard.
Thanks & Regards
Any reason not to just do a reject of the value “dmarc=fail”, why include the other two cases?
oreject or o.reject: Stands for override reject. In this case Microsoft 365 uses this action when it receives a message that fails the DMARC check from a domain whose DMARC TXT record has a policy of p=reject. Instead of deleting or rejecting the message, Microsoft 365 marks the message as spam. So we need to add this value as well.
Hi, With the -oreject that microsoft imposes you state rather explicitly that the email is marked as spam and delivered to the junk folder, but in my experience, I’m still seeing spoofs that fail DMARC, DKIM, and SPF, and yet still deliver to inboxes. This behavior contrasts that explicit statement (which I’ve also read on the Microsoft 0365 help pages). It’s been a frustrating uphill battle with the malicious senders, but what makes it even more difficult is that Microsoft’s own rules do not appear to be functioning in the way they claim, and their documentation on most of 365 is extremely vague and does not offer any granular explanation of what happens on the back end when specific actions are taken.
I know this is a “take it up with Microsoft” situation, but I wanted to find answers on why the oreject process does not function as stated.
So, what if you have a situation where, you have certain vendors who spoof your domain addresses so that they can easily deliver mails to your staff. But then you have DMARC set up to block anything not coming you, but then you have a transport rule in place that gives exceptions to these specific email addresses. If one of these exceptions get spoofed by a hacker, DMARC fails it but then the transport rule will allow the email to go through. How do you fix this sort of problem?
This is a good scenario to discuss. In this case i would think only of a solution to maintain the exception list on a utmost secret level. And also as an alternative refresh the exception list once in a while for customers who see this as a risk factor.
Thanks. We will soon use Quarantine policy in our DMARC. Normally when you set the DMARC to Quarantine then the email will go to sender junk email.
want to check if Email is failed with DMARC then it should go to shared mailbox as along with full header so the administrator can review it as well.
Can you suggest something about it. Thanks