By default Office 365 DMARC validation for internet emails that fails for policy P=Reject will make the email to land in junk folder of the recipient mailbox. Microsoft 365 will treat DMARC policies of quarantine and reject in the same way, which means that if the sender’s DMARC policy is set to reject or quarantine, the emails that fail DMARC will be sent to the junk folder of the recipient mailbox which is by design as of now and can be found in the Microsoft Article.
Microsoft believes that the main agenda of doing this is to ensure that any legitimate emails which misses in DMARC alignment shouldn’t be lost and its better either to quarantine them or to get them delivered recipient’s junk mail folder. There are few cases wherein few organizations would still need the DMARC policy to be stringent due to their security regulations.
Microsoft validates DMARC and overrides the failure with a header value for a domain whose DMARC TXT record has a policy of p=reject oreject. Instead of deleting or rejecting the message, Office 365 marks the message as spam.
To test it further we are publishing SPF, DKIM and DMARC record for the domain ezcloudinfo.com as below:
SPF record: Adding only Exchange online as authorized sender.
DKIM Record: Having the Signing key only for office 365
DMARC Record: Having strict policy of P=reject
For a successful email from a legitimate sender where it has passed spf, dkim & dmarc we see the below value for DMARC.
Now we are triggering an email from a registered mailchimp account for ezcloudinfo.com where we do not have the SPF and DKIM records added in our DNS records.
The email from mailchimp from sender address email@example.com gets landed in junk email.
We can see the header value of above email and the DMARC validation is failed.
A workaround can be accomplished by creating a Transport Rule to reject the emails that fails with the DMARC validation.
Create a Transport Rule:
Include the below value oreject or action=oreject or dmarc=fail in the message header include option.
Reject the message with the custom status code.
Now if we send a test email after this transport rule from an unauthorized sender the email will be rejected and could see the below NDR message.
So after this transport rule any spoof emails that are coming from a domain that is DMARC protected will not be delivered to the spam folder. They will all be rejected and never reach the recipient.This workaround can be beneficial for organizations where they need to strictly adhere with the RFC standard.
Thanks & Regards