Microsoft's approach to DMARC policies, specifically treating a p=reject policy as p=quarantine, presents a unique challenge for senders. While DMARC is designed to help prevent email spoofing and phishing, Microsoft's discretion can lead to legitimate brand emails appearing alongside scam messages in recipients' spam or junk folders, eroding brand trust. This divergence from a strict DMARC interpretation necessitates specific strategies for senders, particularly those frequently targeted by impersonation attempts.
Key findings
DMARC interpretation: Microsoft views DMARC policies, even p=reject, as suggestions rather than strict commands. This is partly due to a stated concern that some legitimate emails might otherwise fail DMARC and be rejected.
Impact on brand perception: Emails failing DMARC that are quarantined still allow recipients to see the spoofed brand in their junk folders, potentially confusing users and damaging brand reputation.
Authentication rules: Microsoft 365 tends to route unaligned mail, even without a specific DMARC policy, into the spam folder, emphasizing the importance of proper SPF and DKIM alignment.
Internal enforcement: Organizations using Microsoft 365 can set up internal Exchange rules to enforce strict DMARC rejection for inbound emails to their own domains, but this does not affect how Microsoft handles mail sent to other domains.
Key considerations
Understand DMARC policy progression: It is critical to progress DMARC policies from p=none to p=quarantine and finally to p=reject only after careful monitoring and ensuring all legitimate mail streams pass authentication and alignment checks. This is detailed further in our guide on when to use DMARC policies.
Prioritize authentication alignment: Ensure your SPF and DKIM records are properly configured and align with your sending domain. Microsoft (and other major ISPs) heavily rely on this alignment for inbox placement, regardless of your DMARC policy. You can find more information on how to fix common DMARC issues in Microsoft 365.
Monitor DMARC reports: Regularly review DMARC aggregate and forensic reports to identify legitimate sending sources that might be failing DMARC, as well as instances of spoofing. This data is crucial for refining your DMARC implementation and understanding how different receivers (including Microsoft) are treating your mail. For Microsoft's own guidance on DMARC, see their official documentation.
Educate recipients: While not a technical fix, educating your users and customers about phishing and how to identify legitimate emails can help mitigate the risk of them interacting with spoofed messages that land in their quarantine folders.
Email marketers often express frustration with Microsoft's non-standard DMARC policy enforcement. The primary concern is that a p=reject policy, intended to outright block fraudulent emails, is instead interpreted as p=quarantine. This means spoofed messages, even those blatantly forged, can still appear in a user's junk folder, potentially undermining brand trust and security efforts. Marketers also point to a general lack of clarity and consistency in Microsoft's email authentication policies compared to other major providers.
Key opinions
Brand exposure risk: Even with a DMARC policy set to reject, seeing spoofed emails in the quarantine folder allows recipients to see the brand name associated with scam attempts, which is a major concern for brand reputation.
Microsoft's unique approach: Microsoft's stance on DMARC policies, including the treatment of p=reject as p=quarantine, is seen as inconsistent with other providers and can be frustrating for senders.
User address book impact: Some marketers have observed that if a sender's address is in a Hotmail user's address book, emails are more likely to land in the inbox, even if they are clearly forged, which bypasses DMARC controls.
Challenge in client education: It is difficult to convince clients that implementing DMARC incorrectly (e.g., p=none without alignment) can actively harm deliverability rather than help it.
Key considerations
Internal enforcement: For organizations using Microsoft 365, consider creating an Exchange rule to strictly reject inbound emails that fail DMARC. This is a crucial step to protect your own users from spoofing, as outlined in our guide on using DMARC p=reject to combat email spoofing.
Align authentication: Ensure that SPF and DKIM are properly configured and aligned with your organizational domain. Microsoft heavily relies on this alignment for filtering, often sending unaligned mail to the spam folder, irrespective of the DMARC policy. This is a common issue that can be addressed by ensuring your best practices for setting DMARC policy.
Advocate for DMARC aggregate reports: Marketers frequently express a desire for Microsoft to send DMARC aggregate reports, which would provide crucial visibility into email authentication results and aid in identifying spoofing. Voting for such features in user feedback forums can help raise awareness for Microsoft.
Review email sending practices: If web contact forms or other non-API call systems spoof the 5322.From header, these emails will likely fail DMARC. Consider adjusting these practices or making specific exceptions at the receiving end to ensure legitimate mail is not blocked or quarantined.
Marketer view
Email marketer from Email Geeks explains that even when DMARC is set to reject, Microsoft still places messages in quarantine, leading to recipients seeing their brand on scam emails.
21 Jan 2021 - Email Geeks
Marketer view
Marketer from Spiceworks Community observes that a reject policy instructs recipient servers to simply reject emails failing DMARC checks, preventing them from ever reaching the inbox.
22 Jan 2024 - Spiceworks Community
What the experts say
Experts in email deliverability consistently highlight that DMARC policies are fundamentally requests or suggestions to recipient mail servers, not strict commands. This means that while a p=reject policy signals a strong preference for rejection, the ultimate decision rests with the receiving ISP. Microsoft's particular stance of treating p=reject as p=quarantine is often cited as a common workaround due to concerns over rejecting legitimate mail. Experts emphasize the importance of DMARC alignment and robust reporting, while also cautioning against the overestimation of DMARC's benefits, noting that the policy component can, if mismanaged, lead to deliverability issues.
Key opinions
DMARC as a suggestion: DMARC policy enforcement should be considered a suggestion, with the final decision on how to handle non-compliant mail resting with the receiving mail server.
Microsoft's independent approach: Microsoft has historically operated by its own authentication rules, requiring others to adapt to their specific requirements.
Alignment over policy: The most valuable aspects of DMARC are the concept of alignment for authentication and reporting, with the explicit policy (like p=reject) having the potential to break email if not carefully managed. Receivers can and do check alignment even without a published DMARC policy.
DMARC benefits oversold: Many experts feel the benefits of DMARC have been oversold, leading organizations to implement it without fully understanding its implications or having the resources to monitor reports.
Evolving threat model: The original threat model DMARC was designed for has evolved, and the internet has moved on, suggesting that strict p=reject policies are less universally applicable than once thought.
Key considerations
Prioritize proper alignment: Before implementing a DMARC policy beyond p=none, ensure that SPF and DKIM are fully aligned for all legitimate sending sources. Failing to do so can lead to legitimate emails being junked or blocklisted (or blacklisted). Learn more about why DMARC authentication fails even when SPF and DKIM pass.
Resource allocation for reporting: While DMARC reporting is valuable, it requires resources to process and act on the data. If an organization lacks these resources, simply publishing a policy without monitoring can be detrimental. Insights into understanding and troubleshooting DMARC reports are critical.
Careful policy deployment: A DMARC policy (especially p=reject) can be effective if implemented with a clear understanding of its potential disadvantages and a competent deployment strategy. This is further explored in a discussion on Microsoft's authentication changes.
Re-evaluate 822.From usage: The practice of treating the 822.From header as an opaque authentication cookie can inadvertently undermine DMARC's intended purpose, emphasizing a need for careful protocol understanding.
Expert view
Expert from Email Geeks suggests that DMARC enforcing policy should be treated only as a suggestion, as it is ultimately up to receivers how they interpret and apply it.
21 Jan 2021 - Email Geeks
Expert view
Expert from Word to the Wise states that Microsoft has always implemented its own authentication practices, requiring other parties to adjust and accommodate their specific needs.
22 Mar 2020 - Word to the Wise
What the documentation says
Official documentation from Microsoft clarifies their specific approach to DMARC policy enforcement. They explicitly state that their system is configured to treat p=reject policies as p=quarantine for inbound emails. The rationale behind this decision is to prevent the rejection of legitimate emails that might inadvertently fail DMARC checks. This stance highlights a cautious approach by Microsoft to avoid false positives and maintain email flow, even if it means some level of brand exposure to spoofing in the quarantine folder. The documentation emphasizes the importance of understanding this behavior when configuring DMARC for domains sending to or through Microsoft 365.
Key findings
Microsoft's stated policy: Microsoft 365 is configured to treat a p=reject DMARC policy as p=quarantine for inbound email.
Reason for behavior: This approach is taken because Microsoft acknowledges that some legitimate emails may fail DMARC checks, and they prioritize deliverability over strict rejection in such cases.
Impact on Authentication-Results header: Previously, the Authentication-Results header would show dmarc=oreject (organizational reject) when a p=reject policy was set, effectively indicating a quarantine action despite the policy's name.
Gradual DMARC implementation: The recommended DMARC implementation path involves starting with p=none, moving to p=quarantine, and then to p=reject after careful monitoring.
Key considerations
Configure internal rules: If you are a Microsoft 365 tenant, you can configure Exchange mail flow rules to explicitly reject emails that fail DMARC. This internal rule allows your organization to strictly enforce rejection for incoming messages to your own users. This process is part of a broader set of best practices for DMARC setup.
Monitor DMARC reports for all policies: Regardless of Microsoft's specific handling, consistent monitoring of DMARC aggregate and forensic reports is crucial. This helps to identify all sending sources using your domain and ensure they are properly authenticated. Understanding your DMARC reports helps prevent deliverability issues when implementing a DMARC p=reject policy.
Aligning authentication is key: Microsoft's enforcement emphasizes the importance of SPF and DKIM alignment for all emails. Even if p=reject results in quarantine, proper alignment is critical for avoiding the spam folder. More details on Microsoft applying DMARC security policies can be found in a relevant article.
Stay informed on policy updates: Microsoft, like other major mail providers, may update their DMARC handling policies. Regularly consulting their official documentation and industry news is essential to stay ahead of changes affecting your email deliverability.
Technical article
Microsoft documentation states that Microsoft 365 is configured to treat a p=reject DMARC policy as if it were p=quarantine. This means messages that fail DMARC will be sent to the recipient's junk email folder rather than being outright rejected.
01 Jan 2021 - docs.microsoft.com
Technical article
Microsoft's reasoning for this approach is that some legitimate email may fail DMARC. By quarantining rather than rejecting, they aim to prevent the loss of valid communications while still taking action against potential spoofing.