Chat +1-888-563-5277 [email protected]

DMARC and Microsoft

Why Microsoft stopped sending DMARC aggregate reports?

When checking your domain’s DMARC reporting, you probably notice that among aggregate reports from other major well-known email providers like Google, Yahoo, Mail.Ru, etc. you do not see reports from Microsoft.

There is no problem with your DMARC record configuration, indeed Microsoft does not send aggregate reports anymore. They used to feed with aggregate reports earlier (the last one was sent on 31 October 2017) but for some reason, they stopped the initiative later.

If you search the Internet you will find several posts where it is mentioned that Microsoft sends DMARC reports to Agari, the source of that information is Microsoft’s knowledge base article.

Therefore, they decided to limit the availability of DMARC reporting to the public after starting a partnership with Agari, thus hoping to bring them more customers.

So, as you may correctly realize, DMARC reporting shows statistics for much fewer emails (since Microsoft is the second-largest ESP after Google), maybe even 65%-75% or real sent emails volume.

If your domain is already on DMARC “reject” policy, you might be very interested to know how your customers, who use Microsoft mailboxes, are secured from receiving spoofed emails sent on your domain behalf? Does Microsoft adhere to the standards and reject non-authenticated emails, as it is supposed to be?

However, you may be surprised, this is not true.

What happens to an email failing DMARC check on Microsoft 365?

If you have friends who use Microsoft 365 (Exchange Online) you may also send spoofed email to them. That being said, if their Exchange does not have specific rules for spoofing email processions but runs with a default configuration, your friends will also receive spoofed emails in the Junk folder.

The most frustrating fact is that if a spoofed message came from brand domain email for which Microsoft shows sender avatar (e.g. Paypal, Twitter, Adobe,  Apple) the spoofed messages received in Junk also shows genuine sender avatar, which may confuse you and make to believe that email came from a legitimate sender.

Why is it so? You can find a description of how Microsoft handles Exchange Online inbound emails, that fails DMARC check, in their official knowledge base.

“If the DMARC policy of the sending server is p=reject, EOP marks the message as spoof instead of rejecting it. In other words, for inbound email, Microsoft 365 treats p=reject and p=quarantine the same way. Admins can define the action to take on messages classified as spoof within the anti-phishing policy.

Microsoft 365 is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list that then relays the message to all list participants. If Microsoft 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected”.

How to reject non-authenticated emails on Exchange?

Meanwhile, the handling of spoofed emails delivery to free Outlook / Hotmail mailboxes is solely in Microsoft hands, companies that use Microsoft 365 / EO can configure Exchange to reject non-authenticated emails received from domains protected with DMARC “reject” policy.

If your organization uses Microsoft 365 / EO and your domain is protected with DMARC “reject” policy, your Exchange administrator can configure it to reject non-authenticated emails, thus protecting your company users from receiving phishing emails sent on your domain behalf.

Let’s look at headers of messages received into Exchange Online from domains that have different DMARC policies set.

no DMARC record exists

Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)

header.d=xxxd.net;yyy.com; dmarc=none action=none header.from=zzz.edu;compauth=fail reason=001

DMARC record with “none” policy

Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)

header.d=xxx.net;yyy.com; dmarc=fail action=none header.from=zzz.org;compauth=fail reason=001

DMARC record with “quarantine” policy

Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)

header.d=xxx.net;yyy.com; dmarc=fail action=quarantine header.from=zzz.gov;compauth=fail reason=000

DMARC record with “reject” policy

Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)

header.d=xxx.net;yyy.com; dmarc=fail action=oreject header.from=zzz.edu;compauth=fail reason=000

NOTE: Microsoft 365 message header field description can be found here.

As you can see from the above-listed headers it is possible to identify non-authenticated inbound emails from a domain with “reject” policy by “dmarc=fail action=oreject” string.

Here are the steps to configure the Exchange rule to reject such inbound emails:

  • Login to Exchange Online portal
  • Go to Mail Flow -> Rules
  • Click on “More Options…” to show advanced settings

 

Configure-how-to-reject-unauthenticated-emails-in-Exchange Exchange-configuration-to-reject-spoofing-emails

 

  • Name the rule
  • in “Apply this rule if…” dropdown select “A message header…” and choose “includes any of these words”
  • in “specify header name” box type Authentication-Results
  • in “specify words or phrases” box type dmarc=fail action=reject and add
  • then, in “Do the following…” dropdown select  “Block the message…” and choose “reject the message and include an explanation
  • after that, type explanation message text, e.g. “Unauthenticated email is not accepted due to sender’s domain’s DMARC policy”
  • if you do not wish to send an explanation message to sender you can choose “delete the message without notifying anyone”

 

DMARC-and-Microsoft-Exchange-configuration

Now, if you try to send a spoofed email to Microsoft 365 / EO mailbox you will receive a non-delivery report, similar to one in the screenshot.

Microsoft-non-delivery-report

Similarly, the report with bounced email also contains the line with diagnostic error code:

Reported error: 550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy

 

Protect your account with 2-Factor Authentication

Two-factor authentication (also known as 2FA) is a method of electronic authentication, which adds an extra layer of security to your account in case your password is stolen. After you set up authentication in EasyDMARC, you’ll sign in to your account in two steps using: Step...

Read More

How to Implement DMARC with EasyDMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy that protects organizations from Business Email Compromise attacks and allows them to receive DMARC reports from mail service providers.  Also, DMARC is an email authentication protocol, that is designed to give email domain owners...

Read More

How does DMARC work: why you should use DMARC?

Protecting your email domain can do more than just prevent hackers from sending embarrassing emails on your behalf. It can also help you build a trusted relationship with business partners and employees by assuring their information is secure. Research shows that phishing attacks are...

Read More