Announcement: Microsoft Exchange Handling DMARC Policies

Microsoft Exchange?started sending DMARC reports?on March 21, 2023. However, the?DMARC policies?of Microsoft Exchange users were not being adhered to by Microsoft. This is not a violation of the RFC, but still not the best idea from an email abuse perspective.

Our clients experienced the issues of Microsoft not handling DMARC according to the RFC firsthand.

In the DMARC data from one of our clients, it was revealed that customers with a Hotmail email address were still receiving phishing emails, even though our client had implemented a DMARC p=reject policy for the respective domain.

What has changed?

On July 19th 2023, Microsoft announced that it will now honour the handling of the DMARC policy for both consumer and enterprise customers:

“For our consumer service (live.com / outlook.com / hotmail.com), we have changed our DMARC policy handling to honour the sender’s DMARC policy. If an email fails DMARC validation and the sender’s policy is set to p=reject or p=quarantine, we will reject the email.”

Very good news for our customers using Microsoft services to send email.

Microsoft announced that even though they will honour the DMARC policy of the sender, it will be available to change settings to your liking if you are an enterprise customer:

“For our enterprise customers, you can now choose how to handle emails that fail DMARC validation and choose different actions based on the policy set by the domain owner, such as p=reject or p=quarantine. If the recipient domain’s MX record points to Office 365, by default, we will honour the sender’s DMARC policy and reject (p=reject) or quarantine (p=quarantine) the email as instructed. However, you can change this behaviour and specify different actions for different policies in the Anti-Phishing policy section of the Microsoft 365 Defender portal.”

Check your DMARC settings here if you are a Microsoft Exchange customer:

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-protection-and-sender-dmarc-policies

You can find the announcement of Microsoft here:

https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-new-dmarc-policy-handling-defaults-for-enhanced-email/ba-p/3878883