Categories
Microsoft 365

DMARC fails in junk folder action=oreject

You have successful implemented SPF, DKIM and DMARC in your environment. But DMARC fails from your domain lands in the junk folder of an user in Exchange Online instead of rejecting it. What now?


Root cause

SPF, DKIM and DMARC on p=reject is running in your environment and you assume that the most unauthorized emails will be blocked by DMARC, because the policy is on reject.

Then an user comes to you and tells you he has a junk email that came from your domain. While analyzing the header, you should find in the Authentication-Results that DMARC is failed, but with action reason “oreject”. In this case Microsoft 365 uses this action when it receives a message that fails the DMARC check from a domain whose DMARC record has a policy of p=reject. Instead of deleting or rejecting the message, Microsoft 365 marks the message as spam.

This means that if an email fails the DMARC check and the policy is p=reject, Exchange Online override the action from <dmarc=fail action=reject> to <dmail=fail action=oreject> and marked it as spam instead of deleting the message.

Why is Microsoft doing this?

Exchange Online is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list, that relays the message to all participants. If Microsoft 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected.

Would you rather see it differently in Exchange Online?

If you want more control of DMARC fails from your domain from unauthenticated senders, and not want it to land in the junk folder of your end users, then turn on spoof intelligence in ATP-Anti phishing policy.

You can turn on spoof intelligence by follow the following steps:

  • Login to https://security.microsoft.com/antiphishing
  • Open your ATP-Anti phishing policy
  • Under ‘Phishing threshold & protection’
    • Edit protection settings
  • Enable spoof intelligence
  • Under ‘Actions’,
    • Edit actions
  • If message is detected as spoof
    • Quarantine the message
  • Check ‘Unauthenticated senders symbol (?) for spoof’ also.

Outcome

Spoof intelligence is turned on, which mean that DMARC fails with action=oreject are going to the quarantine from now on.


Share this: