How does Microsoft 365 Manage Inbound Email Messages that Don’t Pass the DMARC Checks?

Microsoft refrains from rejecting emails that don’t pass the DMARC checks even if the sending domain’s DMARC policy is set to ‘p=reject.’ This is because it is considerate of the legitimate emails that get false positives. So, to avoid disrupting genuine conversations, Microsoft takes a different route.

Email forwarding and configuration issues in the sender’s SPF, DKIM, and DMARC records are the two primary reasons for triggering a false positive for legitimate emails. So, instead of rejecting such emails, Microsoft simply makes them rest in the spam folder, even if your policy instructs it to bounce them back. 

It’s suggested that you create a ‘safe sender’ list and a transport rule, also known as an Exchange Mail Flow Rule. Let’s see how the latter is done.

Creating Microsoft 365 Transport Rule to Quarantine Unauthorized Inbound Emails

Since Microsoft doesn’t support the ‘reject’ instructions, we can address the concern by creating an Exchange Mail Flow/ Transport rule with an email header.

Scenario 1: Configuring the Transport Rule to Quarantine Inbound Emails From Internal Domains

This case fits when the internal domains in the From address receive emails. This registers the message into the user’s spam folder and not the primary inbox, thus minimizing the chances of phishing yet not completely erasing email communication. 

The regulation confirms if the From field is exactly the same as your domain and if the DMARC check has failed for the specific message. This evaluation helps the protocol in affirming what actions should be taken.

But remember to use this rule on a restricted user base before making it a domain-across criteria. This way, the testing stage won’t hamper your overall email infrastructure if anything goes wrong. It’s important that all authorized senders pass DMARC; otherwise, mailboxes will flag genuine emails. 

Here’s how you have to proceed to set the rule-

1. Use your login credentials to access your Exchange Online admin center. 
2. Navigate to ‘Mail Flow’ and select ‘Rules’ under it.
3. Click on the ‘Add’ icon and ‘Create a New Rule.’
4. Next, change the ‘Match sender address in message’ to ‘Header.’
5. You will see the ‘Apply this rule if…’ field, where you can choose the condition you want to apply from the list in the drop-down menu. In our case, we want to set the rule for the instances where the DMARC authentication result is ‘fail’ and if the ‘From’ domain is exactly the same as your own domain. 
6. Then, you will see the ‘Do the following…’ field where you can choose the action as ‘Deliver the message to the hosted quarantine.’
7. It’s done. Just click ‘Save.’

Scenario 2: Configuring the Transport Rule to Quarantine Inbound Emails From External Domains

If you receive emails from external domains, you can set a disclaimer warning of a foreseeable phishing and spoofing attempt. Also, this deliberation for external domains failing DMARC checks is helpful if you don’t want to restrict messages outright. This is because incorrectly set protocols often lead to failed authentication checks for legitimate emails as well.

Here’s what you need to follow-

1. Use your login credentials to access your Exchange Online admin center. 
2. Navigate to ‘Mail Flow’ and select ‘Rules’ under it.
3. Click on the ‘Add’ icon and ‘Create a new rule.’
4. Next, change the ‘Match sender address in message’ to ‘Header.’
5. You will see the ‘Apply this rule if…’ field, where you can choose the condition you want to apply from the list in the drop-down menu. In our case, we want to set the rule for the cases when the DMARC authentication result is ‘fail’ and if the ‘From’ domain is exactly the same as your own domain. 
6. Then, you will see the ‘Do the following…’ field, where you can choose the action ‘Prepend the disclaimer’ and add your desired disclaimer.
7. You can now add an exception to this rule, like in case the “From” header matches your domain name.
8. It’s done. Just click ‘Save.’

Learning to Make Microsoft 365 Transport Rule to Reject Unauthorized Inbound Emails

• Use your login credentials to access your Exchange Online admin center. 
• Navigate to ‘Mail Flow’ and select ‘Rules’ under it.
• Click on the ‘Add’ icon, followed by ‘+Add a rule.’
• Click on ‘Create a new rule’ from the drop-down menu.
• Name your rule.
• Choose “the message headers include any of these words” under “Apply this rule if.”
• Click ‘Enter Text’ > ‘Authenticated results.’
•  Next, click ‘Enter words’ and select the option you prefer. You can also select all the options.
• Under ‘Do the following,’ select ‘Block the message.’
• Click on “Reject the message and include an explanation.”
• Save the email flow rule and wait for a while for it to get propagated throughout the internet, 
• You are done.

The layered defences of Exchange Online Protection

Image sourced from practical365.com

Additional Points to Bear in Mind

• DMARC’s effectiveness depends on the configuration of SPF and DKIM records too. So, ensure all three records are well set and updated.
• Although it’s not mandatory to choose to receive aggregate and DMARC forensic reports, experts highly encourage it. These reports give insights into legitimate and illegitimate emails sent from your domain and help control the damage before the situation worsens.
• DMARC’s ‘none’ policy is only ideal for the first few weeks of implementing DMARC as it’s just a monitoring policy. So, plan ahead to gradually move from ‘none’ to ‘quarantine’ to ‘reject.’
• Don’t be impatient to set your DMARC policy to ‘reject’; it takes time to attain the stage where there are a minimal number of false positives.
• Regularly run SPF, DKIM, and DMARC records through their respective lookup tools or analyzers so that you come across configurational and syntactical problems.
• Onboard an email authentication expert or outsource the responsibility to an agency like DuoCircle. DIY-ing DMARC is not suggested.