Incoming DMARC configuration for Microsoft 365 Exchange Online platform

Problem Statement:

Microsoft 365 email platform does not reject the emails failing DMARC policy despite the policy being set to “p=reject”.

This is an approach that Microsoft has taken to avoid legitimate emails being blocked. However, this approach from Microsoft also introduces a gap in the DMARC deployment, resulting in spoofed emails to bypass DMARC control.

Please refer to the below link for the DMARC policy of Microsoft.

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide#how-microsoft-365-handles-inbound-email-that-fails-dmarc

Solution:

To address this gap in Office 365 DMARC deployment, you can create a transport rule using the “Authentication-results” header. Based on the requirement you can split this deployment into 2 rules (one for the domain you have control over and the other for the domain you do not have control over).

1. If mail is received using your domains in “from email address”, you can configure the rule to quarantine the emails. This will prevent the email from being delivered to the users. The rule will check if the mail is using your mail domain and if the DMARC is failing. Based on this action would be defined.

Note: Before implementing this rule, you must ensure all your authorized mail senders pass the DMARC requirement, or else legitimate mails might get rejected. Also, it is recommended to test the rule for few users before deploying for all users (as the mail flow/routing might differ for different organization)

2. If the mail is received from any other external domain and the DMARC result is “fail” then you can add a disclaimer to alert the user that the mail could be malicious.

Note: You can configuring a disclaimer instead of blocking these emails to avoid email block due to sending domain issues. However, if required the rule can be configured to block the email automatically.

Considerations:

  1. DMARC should always be validated on the outermost gateway. This rule shall not behave as expected if there is another layer of filter above O365.
  2. These will only work for domain spoofed phishing emails and will not work for other types of fraudulent emails like display name spoofing and so on.
  3. The rule will block spoofed emails only if the DMARC policy is set to reject.
  4. The rule shall be configured only after ensuring all the legitimate emails are passing the DMARC check to avoid legitimate emails getting blocked.

Leave a Reply