Microsoft Defender for Office 365: DMARC Handling

Originally posted by Microsoft Apr 20, 2023 Uncategorized 0 Comments

In order to better protect our customers from exact domain spoofing attacks and improve deliverability of email, we are making changes to how we handle DMARC p=reject and p=quarantine.

For the enterprise customers, we are also making updates to how DMARC policy-based reject can be handled. This change will help Security Administrators be able to choose how DMARC policy-based reject and quarantine can be applied within their organization. 

For the consumer service, this means that if an email fails DMARC validation, it will be dropped and will not be delivered to the recipient’s inbox. This change will help to ensure that only emails from verified senders are delivered to our customers’ inboxes.

This message is associated with Microsoft 365 Roadmap ID 117533

When this will happen:

Standard: Rollout will begin in late April 2023 and is expected to be complete by mid-May 2023.

Gov Cloud: Rollout will begin in mid-April 2023 and is expected to be complete by mid-June 2023.

How this will affect your organization:

For enterprise customers, within the actions section of the Anti-Phishing policy, the new setting to honor DMARC policy will be disabled by default. In this case, currently if DMARC p=reject, the action specified when spoof intelligence detects a message is applied. (Note: it is set to go to junk by default). 

Moving forward, using the updated actions for spoof intelligence settings within the Anti-Phishing policy, the recipient tenant admin will be able to choose how they want to honor DMARC policy settings. 

What you need to do to prepare:

If the tenant admin chooses to enable this new setting to honor DMARC policy, by default, the action applied will be “quarantine” in case of DMARC p=reject or p=quarantine. The tenant admin can change it as desired to either “reject” or “junk” the message instead (respectively).

If you wish to honor DMARC, before turning on the feature, you may choose to review spoof intelligence insight to identify legitimate senders who are sending DMARC reject or quarantine emails. Based on your organization’s email sending business, you may override the sender domain pairs to the Tenant allow block lists – Spoofed Senders. You may want to notify your users about this change and update your training and documentation as appropriate.

Message ID: MC543870

No comments yet

Leave a Reply

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: