You have successful implemented SPF, DKIM and DMARC in your environment. But DMARC fails from your domain lands in the junk folder of an user in Exchange Online instead of rejecting it. What now?
SPF, DKIM and DMARC on p=reject is running in your environment and you assume that the most unauthorized emails will be blocked by DMARC, because the policy is on reject.
Then an user comes to you and tells you he has a junk email that came from your domain. While analyzing the header, you should find in the Authentication-Results that DMARC is failed, but with action reason “oreject”. In this case Microsoft 365 uses this action when it receives a message that fails the DMARC check from a domain whose DMARC record has a policy of p=reject. Instead of deleting or rejecting the message, Microsoft 365 marks the message as spam.
This means that if an email fails the DMARC check and the policy is p=reject, Exchange Online override the action from <dmarc=fail action=reject> to <dmail=fail action=oreject> and marked it as spam instead of deleting the message.
Why is Microsoft doing this?
Exchange Online is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list, that relays the message to all participants. If Microsoft 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected.
Would you rather see it differently in Exchange Online?
If you want more control of DMARC fails from your domain from unauthenticated senders, and not want it to land in the junk folder of your end users, then turn on spoof intelligence in ATP-Anti phishing policy.
- Login to https://protection.office.com/antiphishing
- Open your ATP-Anti phishing policy
- Under Spoof, choose edit.
- Enable spoof intelligence
- Turn on
- Enable unauthenticated sender symbol (applies a “?” symbol in Outlook’s sender card if the sender fails the authentication check)
- Turn on
- Quarantine the message
ATP-Anti phishing policy
Like I explain in this earlier blog post, you can turn on impersonation in ATP anti-phishing policies. For example, your CEO is called Peter Parker. With impersonation turned on, all the email from “Peter Parkerr <firstname.lastname@example.org>”, “Peter Parker <email@example.com>” or with the domains to protect function, “Peter Parker <firstname.lastname@example.org>”, will be moved to quarantine, if you have set that up.
But those settings are not enough to stop the DMARC fails with action oreject in the user’s junk mailbox, therefore you need to turn on spoof intelligence.