Summary
Microsoft's approach to DMARC involves treating 'reject' policies as 'quarantine' to prevent false negatives, prioritizing the delivery of legitimate emails even if they fail authentication checks. DMARC policies are viewed as requests, not commands, leaving the ultimate decision on email handling to the recipient server. Microsoft's O365 platform is known to send unaligned emails directly to the spam folder. Recommendations for handling this include monitoring DMARC reports, ensuring proper SPF/DKIM alignment, and considering an Exchange rule to enforce 'reject' policies. Furthermore, senders should be aware of how Microsoft's authentication changes impact forwarded emails and understand that Microsoft often has unique ways of doing things.
Key findings
- Microsoft's Prioritization: Microsoft prioritizes avoiding false negatives by quarantining emails that fail DMARC 'reject' policies.
- DMARC as Guidance: DMARC policies serve as guidelines; the ultimate decision on handling emails lies with the recipient server (e.g., Microsoft).
- Unaligned Mail Handling: Microsoft's Office 365 platform sends unaligned emails directly to the spam folder.
- Enforcement Variances: DMARC enforcement depends on the receiver's implementation, leading some to treat 'reject' as 'quarantine.'
Key considerations
- Actionable Steps: Monitor DMARC reports and improve SPF, DKIM, and DMARC configurations.
- Mitigation Strategy: Consider an Exchange rule to enforce 'reject' policies at the organizational level.
- Proactive Alignment: Advocate for alignment with clients and understand Microsoft's authentication changes.
- Forwarding Complications: Understand and address how Microsoft's changes affect forwarded emails and mailing lists.
What email marketers say
11 marketer opinions
Microsoft often treats DMARC reject policies as quarantine to avoid blocking legitimate emails due to misconfigurations or other issues. This is because Microsoft prioritizes avoiding false negatives (missing valid emails). To address this, it's essential to monitor DMARC reports, ensure proper SPF and DKIM setup for alignment, and consider creating an Exchange rule to reject failing emails. It's also important to advocate for alignment with clients, but be aware of Microsoft's abrupt changes to authentication procedures, and how this all affects forwarded emails.
Key opinions
- Microsoft's Approach: Microsoft prioritizes avoiding false negatives (missing legitimate emails), leading them to quarantine emails that fail DMARC reject policies instead of rejecting them outright.
- Receiver Discretion: ISPs and receivers ultimately decide how to handle emails failing DMARC, even with a 'reject' policy. This depends on the implementation.
- Importance of Alignment: Proper SPF and DKIM configuration for alignment is crucial to prevent legitimate emails from being incorrectly flagged and quarantined.
- Monitor Reports: Monitoring DMARC reports helps identify legitimate emails failing authentication, allowing for adjustments to SPF, DKIM, and DMARC records.
Key considerations
- Exchange Rule: Creating an Exchange rule to reject emails failing DMARC can override Microsoft's quarantine treatment, but needs to be done cautiously.
- Client Communication: Advocating for alignment with clients and communicating changes in authentication practices is important.
- Authentication Changes: Be aware of Microsoft's abrupt changes to authentication procedures.
- Forwarded Emails: Forwarded emails and mailing lists are impacted by the MS changes.
Marketer view
Email Marketer from StackExchange explains that enforcing DMARC policies depends on the receiver's implementation, and some treat 'reject' as 'quarantine' to avoid losing legitimate emails due to misconfiguration.
21 Feb 2025 - StackExchange
Marketer view
Email Marketer from Unlock The Inbox suggests monitoring your DMARC reports to identify legitimate emails that are failing authentication. Based on the report, you can improve SPF records, DKIM keys, and DMARC records.
8 Apr 2024 - Unlock The Inbox
What the experts say
8 expert opinions
Microsoft's handling of DMARC reject policies as quarantine stems from their unique approach to authentication and the need to balance security with preventing false positives. DMARC policies are essentially requests, not commands, and receivers like Microsoft have discretion. Key elements include the importance of authentication alignment, the limited value of DMARC in many situations, and the fact that Microsoft often moves unaligned emails directly to spam within its Office 365 platform. Senders should understand Microsoft's practices, especially how it affects forwarded emails, and be aware that this forces workarounds.
Key opinions
- DMARC as a Request: DMARC policy is more of a request than a command, and receivers can interpret it as they see fit.
- Microsoft's Unique Approach: Microsoft has its own authentication practices, and this often requires senders to adapt and find workarounds.
- Alignment is Key: Microsoft's O365 platform will throw unaligned email into the spam folder.
- Limited DMARC Value: DMARC brings minimal value in many cases and can even break email functionality.
Key considerations
- Phishing Actions: What senders can do regarding phishing depends on the details of the brand and observed behavior.
- Authentication Focus: The best parts of DMARC are alignment and reporting.
- Forwarding Issues: Microsoft's authentication changes significantly impact forwarded emails, often causing them to land in the junk folder.
- Workarounds Necessary: Be prepared to implement workarounds to accommodate Microsoft's unique authentication practices.
Expert view
Expert from Word to the Wise discusses the changes in how Microsoft handles authentication for inbound mail to Office 365, explaining that Microsoft has made changes that affect the authentication landscape and how email is handled, especially for those using DMARC.
21 Mar 2025 - Word to the Wise
Expert view
Expert from Email Geeks shares that a DMARC policy provides information and is at most a request, not a command.
1 Sep 2022 - Email Geeks
What the documentation says
4 technical articles
Microsoft 365 quarantines messages failing DMARC, even with a 'reject' policy, to avoid blocking legitimate emails due to potential misconfigurations. DMARC policies are requests, not commands, giving recipient servers like Microsoft discretion over handling failed authentication. Microsoft routes unaligned mail directly to the spam folder. Ultimately, recipient servers have the final say in how emails failing authentication are handled.
Key findings
- Quarantine over Reject: Microsoft 365 quarantines DMARC failures on 'reject' to prevent loss of legitimate emails.
- Policy as Request: DMARC policies are guidelines, not mandates; recipient servers determine the action.
- Unaligned to Spam: Microsoft directly routes unaligned mail to spam within Office 365.
- Recipient Control: Recipient servers possess the ultimate decision-making power for handling authentication failures.
Key considerations
- Configuration: Ensuring proper SPF and DKIM configuration can reduce DMARC failures.
- Monitoring: Monitoring DMARC reports can aid in identifying and rectifying issues.
- Microsoft Specifics: Understanding Microsoft's particular handling of DMARC failures is crucial.
- General Guidelines: Following DMARC best practices improves overall email deliverability.
Technical article
Documentation from SocketLabs Blog explains that Microsoft started routing unaligned mail that comes into O365 hosted clients into the spam folder regardless.
27 May 2022 - SocketLabs Blog
Technical article
Documentation from Google Workspace Admin Help mentions that DMARC policies are guidelines for how recipient servers should handle emails that fail authentication. However, the ultimate decision rests with the recipient server.
21 Jan 2024 - Google Workspace Admin Help
How can I implement a DMARC reject policy for non-existent domains to prevent spam?
How can I troubleshoot DMARC failures and identify the cause of authentication issues?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do DMARC quarantine and reject policies affect sender reputation and email delivery?
What are the steps to troubleshoot DMARC reject policy causing low email delivery rates after implementation?
When and why should I switch from DMARC p=none to p=quarantine or p=reject?
