How Office 365 treats inbound email that fails DMARC validation?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) work with Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing emails.

How Microsoft 365 handles inbound email that fails DMARC

If the DMARC policy of the sending server is p=reject, Exchange Online Protection (EOP) marks the message as a spoof instead of rejecting it. In other words, for inbound email, Microsoft 365 treats p=reject and p=quarantine the same way.

This is an approach that Microsoft has taken to avoid legitimate emails being blocked. However, this approach from Microsoft also introduces a gap in the DMARC deployment, resulting in spoofed emails to bypass DMARC control.

For example, a message might fail DMARC if it is sent to a mailing list that then relays the message to all list participants. If Microsoft 365 rejected these messages, people could lose legitimate email and have no way to retrieve them. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected.

If you want to reject the mails which are failing DMARC, you can create a  transport rule in Microsoft Office 365 Exchange Online.

Please refer to the below link for creating transport rule in office 365 exchange online: