How to handle Microsoft treating DMARC reject policy as quarantine?

Key findings

• DMARC interpretation: Microsoft views DMARC policies, even p=reject, as suggestions rather than strict commands. This is partly due to a stated concern that some legitimate emails might otherwise fail DMARC and be rejected.
• Impact on brand perception: Emails failing DMARC that are quarantined still allow recipients to see the spoofed brand in their junk folders, potentially confusing users and damaging brand reputation.
• Authentication rules: Microsoft 365 tends to route unaligned mail, even without a specific DMARC policy, into the spam folder, emphasizing the importance of proper SPF and DKIM alignment.
• Internal enforcement: Organizations using Microsoft 365 can set up internal Exchange rules to enforce strict DMARC rejection for inbound emails to their own domains, but this does not affect how Microsoft handles mail sent to other domains.

Key considerations

• Understand DMARC policy progression: It is critical to progress DMARC policies from p=none to p=quarantine and finally to p=reject only after careful monitoring and ensuring all legitimate mail streams pass authentication and alignment checks. This is detailed further in our guide on when to use DMARC policies.
• Prioritize authentication alignment: Ensure your SPF and DKIM records are properly configured and align with your sending domain. Microsoft (and other major ISPs) heavily rely on this alignment for inbox placement, regardless of your DMARC policy. You can find more information on how to fix common DMARC issues in Microsoft 365.
• Monitor DMARC reports: Regularly review DMARC aggregate and forensic reports to identify legitimate sending sources that might be failing DMARC, as well as instances of spoofing. This data is crucial for refining your DMARC implementation and understanding how different receivers (including Microsoft) are treating your mail. For Microsoft's own guidance on DMARC, see their official documentation.
• Educate recipients: While not a technical fix, educating your users and customers about phishing and how to identify legitimate emails can help mitigate the risk of them interacting with spoofed messages that land in their quarantine folders.

Key opinions

• Brand exposure risk: Even with a DMARC policy set to reject, seeing spoofed emails in the quarantine folder allows recipients to see the brand name associated with scam attempts, which is a major concern for brand reputation.
• Microsoft's unique approach: Microsoft's stance on DMARC policies, including the treatment of p=reject as p=quarantine, is seen as inconsistent with other providers and can be frustrating for senders.
• User address book impact: Some marketers have observed that if a sender's address is in a Hotmail user's address book, emails are more likely to land in the inbox, even if they are clearly forged, which bypasses DMARC controls.
• Challenge in client education: It is difficult to convince clients that implementing DMARC incorrectly (e.g., p=none without alignment) can actively harm deliverability rather than help it.

Key considerations

• Internal enforcement: For organizations using Microsoft 365, consider creating an Exchange rule to strictly reject inbound emails that fail DMARC. This is a crucial step to protect your own users from spoofing, as outlined in our guide on using DMARC p=reject to combat email spoofing.
• Align authentication: Ensure that SPF and DKIM are properly configured and aligned with your organizational domain. Microsoft heavily relies on this alignment for filtering, often sending unaligned mail to the spam folder, irrespective of the DMARC policy. This is a common issue that can be addressed by ensuring your best practices for setting DMARC policy.
• Advocate for DMARC aggregate reports: Marketers frequently express a desire for Microsoft to send DMARC aggregate reports, which would provide crucial visibility into email authentication results and aid in identifying spoofing. Voting for such features in user feedback forums can help raise awareness for Microsoft.
• Review email sending practices: If web contact forms or other non-API call systems spoof the 5322.From header, these emails will likely fail DMARC. Consider adjusting these practices or making specific exceptions at the receiving end to ensure legitimate mail is not blocked or quarantined.

Key opinions

• DMARC as a suggestion: DMARC policy enforcement should be considered a suggestion, with the final decision on how to handle non-compliant mail resting with the receiving mail server.
• Microsoft's independent approach: Microsoft has historically operated by its own authentication rules, requiring others to adapt to their specific requirements.
• Alignment over policy: The most valuable aspects of DMARC are the concept of alignment for authentication and reporting, with the explicit policy (like p=reject) having the potential to break email if not carefully managed. Receivers can and do check alignment even without a published DMARC policy.
• DMARC benefits oversold: Many experts feel the benefits of DMARC have been oversold, leading organizations to implement it without fully understanding its implications or having the resources to monitor reports.
• Evolving threat model: The original threat model DMARC was designed for has evolved, and the internet has moved on, suggesting that strict p=reject policies are less universally applicable than once thought.

Key considerations

• Prioritize proper alignment: Before implementing a DMARC policy beyond p=none, ensure that SPF and DKIM are fully aligned for all legitimate sending sources. Failing to do so can lead to legitimate emails being junked or blocklisted (or blacklisted). Learn more about why DMARC authentication fails even when SPF and DKIM pass.
• Resource allocation for reporting: While DMARC reporting is valuable, it requires resources to process and act on the data. If an organization lacks these resources, simply publishing a policy without monitoring can be detrimental. Insights into understanding and troubleshooting DMARC reports are critical.
• Careful policy deployment: A DMARC policy (especially p=reject) can be effective if implemented with a clear understanding of its potential disadvantages and a competent deployment strategy. This is further explored in a discussion on Microsoft's authentication changes.
• Re-evaluate 822.From usage: The practice of treating the 822.From header as an opaque authentication cookie can inadvertently undermine DMARC's intended purpose, emphasizing a need for careful protocol understanding.

Key findings

• Microsoft's stated policy: Microsoft 365 is configured to treat a p=reject DMARC policy as p=quarantine for inbound email.
• Reason for behavior: This approach is taken because Microsoft acknowledges that some legitimate emails may fail DMARC checks, and they prioritize deliverability over strict rejection in such cases.
• Impact on Authentication-Results header: Previously, the Authentication-Results header would show dmarc=oreject (organizational reject) when a p=reject policy was set, effectively indicating a quarantine action despite the policy's name.
• Gradual DMARC implementation: The recommended DMARC implementation path involves starting with p=none, moving to p=quarantine, and then to p=reject after careful monitoring.

Key considerations

• Configure internal rules: If you are a Microsoft 365 tenant, you can configure Exchange mail flow rules to explicitly reject emails that fail DMARC. This internal rule allows your organization to strictly enforce rejection for incoming messages to your own users. This process is part of a broader set of best practices for DMARC setup.
• Monitor DMARC reports for all policies: Regardless of Microsoft's specific handling, consistent monitoring of DMARC aggregate and forensic reports is crucial. This helps to identify all sending sources using your domain and ensure they are properly authenticated. Understanding your DMARC reports helps prevent deliverability issues when implementing a DMARC p=reject policy.
• Aligning authentication is key: Microsoft's enforcement emphasizes the importance of SPF and DKIM alignment for all emails. Even if p=reject results in quarantine, proper alignment is critical for avoiding the spam folder. More details on Microsoft applying DMARC security policies can be found in a relevant article.
• Stay informed on policy updates: Microsoft, like other major mail providers, may update their DMARC handling policies. Regularly consulting their official documentation and industry news is essential to stay ahead of changes affecting your email deliverability.