Suped

Summary

Microsoft's approach to DMARC policies, specifically treating a p=reject policy as p=quarantine, presents a unique challenge for senders. While DMARC is designed to help prevent email spoofing and phishing, Microsoft's discretion can lead to legitimate brand emails appearing alongside scam messages in recipients' spam or junk folders, eroding brand trust. This divergence from a strict DMARC interpretation necessitates specific strategies for senders, particularly those frequently targeted by impersonation attempts.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What email marketers say

Email marketers often express frustration with Microsoft's non-standard DMARC policy enforcement. The primary concern is that a p=reject policy, intended to outright block fraudulent emails, is instead interpreted as p=quarantine. This means spoofed messages, even those blatantly forged, can still appear in a user's junk folder, potentially undermining brand trust and security efforts. Marketers also point to a general lack of clarity and consistency in Microsoft's email authentication policies compared to other major providers.

Marketer view

Email marketer from Email Geeks explains that even when DMARC is set to reject, Microsoft still places messages in quarantine, leading to recipients seeing their brand on scam emails.

21 Jan 2021 - Email Geeks

Marketer view

Marketer from Spiceworks Community observes that a reject policy instructs recipient servers to simply reject emails failing DMARC checks, preventing them from ever reaching the inbox.

22 Jan 2024 - Spiceworks Community

What the experts say

Experts in email deliverability consistently highlight that DMARC policies are fundamentally requests or suggestions to recipient mail servers, not strict commands. This means that while a p=reject policy signals a strong preference for rejection, the ultimate decision rests with the receiving ISP. Microsoft's particular stance of treating p=reject as p=quarantine is often cited as a common workaround due to concerns over rejecting legitimate mail. Experts emphasize the importance of DMARC alignment and robust reporting, while also cautioning against the overestimation of DMARC's benefits, noting that the policy component can, if mismanaged, lead to deliverability issues.

Expert view

Expert from Email Geeks suggests that DMARC enforcing policy should be treated only as a suggestion, as it is ultimately up to receivers how they interpret and apply it.

21 Jan 2021 - Email Geeks

Expert view

Expert from Word to the Wise states that Microsoft has always implemented its own authentication practices, requiring other parties to adjust and accommodate their specific needs.

22 Mar 2020 - Word to the Wise

What the documentation says

Official documentation from Microsoft clarifies their specific approach to DMARC policy enforcement. They explicitly state that their system is configured to treat p=reject policies as p=quarantine for inbound emails. The rationale behind this decision is to prevent the rejection of legitimate emails that might inadvertently fail DMARC checks. This stance highlights a cautious approach by Microsoft to avoid false positives and maintain email flow, even if it means some level of brand exposure to spoofing in the quarantine folder. The documentation emphasizes the importance of understanding this behavior when configuring DMARC for domains sending to or through Microsoft 365.

Technical article

Microsoft documentation states that Microsoft 365 is configured to treat a p=reject DMARC policy as if it were p=quarantine. This means messages that fail DMARC will be sent to the recipient's junk email folder rather than being outright rejected.

01 Jan 2021 - docs.microsoft.com

Technical article

Microsoft's reasoning for this approach is that some legitimate email may fail DMARC. By quarantining rather than rejecting, they aim to prevent the loss of valid communications while still taking action against potential spoofing.

01 Jan 2021 - docs.microsoft.com

6 resources

Start improving your email deliverability today

Get started