Category Archives: DMARC

Configure Exchange Online to reject emails that fail DMARC validation with organizations having policy of reject

By default Office 365 DMARC validation for internet emails that fails for policy P=Reject will make the email to land in junk folder of the recipient mailbox.Microsoft 365 will treat DMARC policies of quarantine and reject in the same way, which means that if the sender’s DMARC policy is set to reject or quarantine, the emails that fail DMARC will be sent to the junk folder of the recipient mailbox.

Microsoft believes that the main agenda of doing this is to ensure that any legitimate emails which misses in DMARC alignment shouldn’t be lost and its better to get them delivered to recipient junk mail folder. There are few cases wherein few organizations would still need the DMARC policy to be stringent due to their security regulations.

Microsoft validates DMARC and overrides the failure with a header value for a domain whose DMARC TXT record has a policy of p=reject oreject. Instead of deleting or rejecting the message, Office 365 marks the message as spam.

To test it further we are publishing SPF, DKIM and DMARC record for the domain ezcloudinfo.com as below:

SPF record: Adding only Exchange online as authorized sender.

DKIM Record: Having the Signing key only for office 365

DMARC Record: Having strict policy of P=reject

For a successful email from a legitimate sender where it has passed spf, dkim & dmarc we see the below value for DMARC.

dmarc=pass action=none

Now we are triggering an email from a registered mailchimp account for ezcloudinfo.com where we do not have the SPF and DKIM records added in our DNS records.

The email from mailchimp from sender address sathish@ezcloudinfo.com gets landed in junk email.

We can see the header value of above email and the DMARC validation is failed.

WorkAround:

We received a workaround which can be accomplished to reject the emails that fails with DMARC validation from redsift cyber security analysis .

Create a Transport Rule:

Include the below value oreject or action=oreject or dmarc=fail in the message header include option.

Reject the message with the custom status code.

Now if we send a test email after this transport rule from an unauthorized sender the email will be rejected and could see the below NDR message.

So after this transport rule any spoof emails that are coming from a domain that is DMARC protected will not be delivered to the spam folder. They will all be rejected and never reach the recipient.

Thanks & Regards

Sathish Veerapandian

%d bloggers like this: