Chat +1-888-563-5277 [email protected]

DMARC and Microsoft

Why Microsoft stopped sending DMARC aggregate reports?

When checking your domain’s DMARC reporting, you probably notice that among aggregate reports from other major well-known email providers like Google, Yahoo, Mail.Ru, etc. you do not see reports from Microsoft.

There is no problem with your DMARC record configuration, indeed Microsoft does not send aggregate reports anymore. They used to feed with aggregate reports earlier (the last one was sent on 31 October 2017) but for some reason, they stopped the initiative later.

If you search the Internet you will find several posts where it is mentioned that Microsoft sends DMARC reports to Agari, the source of that information is Microsoft’s knowledge base article.

Therefore, they decided to limit the availability of DMARC reporting to the public after starting a partnership with Agari, thus hoping to bring them more customers.

So, as you may correctly realize, DMARC reporting shows statistics for much fewer emails (since Microsoft is the second-largest ESP after Google), maybe even 65%-75% or real sent emails volume.

If your domain is already on DMARC “reject” policy, you might be very interested to know how your customers, who use Microsoft mailboxes, are secured from receiving spoofed emails sent on your domain behalf? Does Microsoft adhere to the standards and reject non-authenticated emails, as it is supposed to be?

However, you may be surprised, this is not true.

What happens to an email failing DMARC check on Microsoft 365?

If you have friends who use Microsoft 365 (Exchange Online) you may also send spoofed email to them. That being said, if their Exchange does not have specific rules for spoofing email processions but runs with a default configuration, your friends will also receive spoofed emails in the Junk folder.

The most frustrating fact is that if a spoofed message came from brand domain email for which Microsoft shows sender avatar (e.g. Paypal, Twitter, Adobe,  Apple) the spoofed messages received in Junk also shows genuine sender avatar, which may confuse you and make to believe that email came from a legitimate sender.

Why is it so? You can find a description of how Microsoft handles Exchange Online inbound emails, that fails DMARC check, in their official knowledge base.

“If the DMARC policy of the sending server is p=reject, EOP marks the message as spoof instead of rejecting it. In other words, for inbound email, Microsoft 365 treats p=reject and p=quarantine the same way. Admins can define the action to take on messages classified as spoof within the anti-phishing policy.

Microsoft 365 is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list that then relays the message to all list participants. If Microsoft 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected”.

How to reject non-authenticated emails on Exchange?

Meanwhile, the handling of spoofed emails delivery to free Outlook / Hotmail mailboxes is solely in Microsoft hands, companies that use Microsoft 365 / EO can configure Exchange to reject non-authenticated emails received from domains protected with DMARC “reject” policy.

If your organization uses Microsoft 365 / EO and your domain is protected with DMARC “reject” policy, your Exchange administrator can configure it to reject non-authenticated emails, thus protecting your company users from receiving phishing emails sent on your domain behalf.

Let’s look at headers of messages received into Exchange Online from domains that have different DMARC policies set.

no DMARC record exists

Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)

header.d=xxxd.net;yyy.com; dmarc=none action=none header.from=zzz.edu;compauth=fail reason=001

DMARC record with “none” policy

Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)

header.d=xxx.net;yyy.com; dmarc=fail action=none header.from=zzz.org;compauth=fail reason=001

DMARC record with “quarantine” policy

Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)

header.d=xxx.net;yyy.com; dmarc=fail action=quarantine header.from=zzz.gov;compauth=fail reason=000

DMARC record with “reject” policy

Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)

header.d=xxx.net;yyy.com; dmarc=fail action=oreject header.from=zzz.edu;compauth=fail reason=000

NOTE: Microsoft 365 message header field description can be found here.

As you can see from the above-listed headers it is possible to identify non-authenticated inbound emails from a domain with “reject” policy by “dmarc=fail action=oreject” string.

Here are the steps to configure the Exchange rule to reject such inbound emails:

  • Login to Exchange Online portal
  • Go to Mail Flow -> Rules
  • Click on “More Options…” to show advanced settings

 

Configure how to reject unauthenticated emails in Exchange Exchange configuration to reject spoofing emails

 

  • Name the rule
  • in “Apply this rule if…” dropdown select “A message header…” and choose “includes any of these words”
  • in “specify header name” box type Authentication-Results
  • in “specify words or phrases” box type dmarc=fail action=reject and add
  • then, in “Do the following…” dropdown select  “Block the message…” and choose “reject the message and include an explanation
  • after that, type explanation message text, e.g. “Unauthenticated email is not accepted due to sender’s domain’s DMARC policy”
  • if you do not wish to send an explanation message to sender you can choose “delete the message without notifying anyone”

 

DMARC and Microsoft: Exchange configuration

Now, if you try to send a spoofed email to Microsoft 365 / EO mailbox you will receive a non-delivery report, similar to one in the screenshot.

Microsoft non-delivery report

Similarly, the report with bounced email also contains the line with diagnostic error code:

Reported error: 550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy

 

Understanding DMARC Reports

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy that protects organizations from Business Email Compromise attacks and allows to receive DMARC reports from mail service providers.  DMARC is an email authentication protocol, that is designed to give email domain owners the ability...

Read More

How To Optimize SPF Record?

Creating a new or modifying an existing SPF record If you have a domain that sends emails, you would probably have some default SPF record, already set by the hosting provider.  That record usually consists of either A or IP4 / IP6 and MX mechanisms, if you have dedicated hosting, or of MX and INCLUDE mechanisms,...

Read More

What You Need To Know About DKIM (DomainKeys Identified Mail)

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails. DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. It achieves...

Read More