Microsoft’s recent updates empower domain owners to combat modern phishing attacks using DMARC

by Duocircle

 

Microsoft has always encouraged domain owners to deploy DMARC to improve email deliverability and prevent spoofing. It has also been part of industry groups that aim to improve email security standards, demonstrating its endorsement of DMARC as part of the future of secure communication.

As a strong proponent of this, Microsoft has recently made a few changes in the way it handles certain settings in DMARC policies. Now, domain owners have better control over emails that didn’t pass the DMARC authentication checks. They also get deeper and broader visibility into their domains’ email activities, helping them detect potentially fraudulent emails

This blog includes details on Microsoft’s new way of handling DMARC policies.

 

How does DMARC help Microsoft Exchange users to combat phishing and spoofing?

DMARC allows Exchange admins to set up a DMARC policy that tells the recipients’ mail servers how to handle unauthorized emails sent from their domains. The three policy options that any DMARC user gets to choose from are-

 

spoofing

 

None

The ‘none’ policy is also called the ‘monitoring’ policy simply for the fact that it just lets users observe how recipients’ mailboxes are perceiving their domains. This policy doesn’t instruct the receiving email servers anything at all; they treat emails from your domain just as they want to. 

It’s recommended to use the ‘none’ policy in the initial phase of DMARC deployment (for around 2-4 weeks, depending on the nature and utility of your email-sending domain). This policy prepares you to move on to the stricter ones- quarantine and reject.

Many domain owners overlook the responsibility of gradually advancing DMARC policies to ‘quarantine’ and ‘reject,’ not leveraging the ultimate power of email authentication through DMARC. Please note that a domain with DMARC policy set to ‘none’ for a long time is as equal to the ones that have not deployed DMARC at all.

 

Quarantine

After you are done monitoring and understanding how recipients’ mailboxes are perceiving and handling your emails, you must step up to applying the ‘quarantine’ policy. This DMARC policy helps you instruct the receivers’ mailboxes to mark the unauthorized emails from your domain as spam. This way, the potentially fraudulent and malicious emails don’t land in recipients’ inboxes, minimizing the possibility of them getting duped. You can also use the ‘pct’ tag (percentage tag) to subject only a prespecified percentage of emails to the ‘quarantine’ policy.

 

spam folder

 

Reject

The ‘reject’ policy is the strictest as it instructs recipients’ servers to reject the entry of unauthorized emails from your domain outrightly. Such emails neither land in the primary inboxes nor the spam folders; they simply bounce back to the senders. 

Many domain owners hesitate to set this DMARC policy because false positives and misconfigurations can block legitimate emails from entering mailboxes. The ‘reject’ policy is strict and requires precise email authentication setup, including coordination with third-party senders like marketing platforms, which can be complex and resource-intensive to manage. This risk of inadvertently losing valid emails often leads domain owners to adopt less strict policies like ‘none’ or ‘quarantine’ instead.

 

How does Microsoft honor DMARC policies?

In 2023, Microsoft tightened its DMARC policy for its domains to enforce the ‘reject’ policy, blocking emails that fail DMARC checks. Before this, emails that failed DMARC with a ‘reject’ policy could still end up in junk or spam folders, as Microsoft treated ‘reject’ like ‘quarantine,’ which could increase the risk of phishing attacks reaching users.

 

phishing attack

 

Now, if an organization’s email fails authentication with a ‘reject’ policy, the sender receives a non-delivery report explaining why the email was blocked.

By default, Microsoft 365 respects the sender’s DMARC policy, but admins can adjust this in the anti-phishing settings. For example, admins might implement stricter rules during a phishing attack, like quarantining all emails from a specific domain.

 

Setting up a DMARC policy for Microsoft 365

Here are the steps to set up a DMARC policy in Microsoft 365-

  1. Go to the Microsoft Defender portal and use your admin credentials to log in.
  2. Go to Policies & Rules > Threat Policies.
  3. Set up DMARC by selecting ‘Anti-phishing.’
  4. Create or modify the DMARC policy by clicking the + icon or ‘New custom policy’ respectively.
  5. Click on ‘Settings’ and configure the following- 
    • Choose none, quarantine, or reject policy, depending upon your preference, expectations, and situation.
    • Specify the email addresses where you want to receive the aggregate and forensic reports.
  6. Once you are done configuring the DMARC settings, save your changes.
  7. Enable DMARC for your domain by adding the DMARC TXT record to your DNS. 
  8. Use a DMARC record lookup tool to determine if the record contains errors. Also, the DMARC reports should be evaluated, and the settings should be adjusted if necessary.

 

 

dmarc report

  •  

How can you leverage the best benefits of DMARC reports?

Your job is not done just after adding the email address where you want to receive the DMARC reports; you will have to analyze them regularly and frequently. Here’s how you can strategize the required efforts-

 

block malicious sender

 

Analyze authentication failures

Review DMARC reports regularly to identify domains or IP addresses failing DMARC checks. This helps detect unauthorized senders (potential spoofers) and allows you to take action by updating SPF/DKIM records or blocking malicious senders.

 

Improve SPF and DKIM alignment

Use DMARC reports to assess whether your SPF and DKIM policies are properly aligned across all authorized senders. If emails fail DMARC despite being legitimate, adjust your SPF or DKIM configurations to ensure better alignment and reduce false positives.

 

 

Optimize your email infrastructure

DMARC reports provide insights into all sources sending emails on behalf of your domain. Use this data to optimize your email infrastructure, ensuring that only authorized services send emails and that rogue or obsolete systems are identified and removed.

By consistently reviewing and acting on DMARC reports, Microsoft Exchange users can enhance email security, protect against domain spoofing, and improve overall email deliverability.

Also, DMARC is just one part of a comprehensive email security plan. Combining DMARC with employee training, anti-phishing tools, regular security audits, and multifactor authentication can help strengthen an organization’s defense against email threats.

Pin It on Pinterest

Share This