If your domain is already on DMARC “reject” policy, you might be very interested to know how your customers, who use Microsoft mailboxes, are secured from receiving spoofed emails sent on your domain behalf? Does Microsoft adhere to the standards and reject non-authenticated emails, as it is supposed to be?
However, you may be surprised, this is not true.
What happens to an email failing DMARC check on Microsoft 365?
If you have friends who use Microsoft 365 (Exchange Online) you may also send spoofed email to them. That being said, if their Exchange does not have specific rules for spoofing email processions but runs with a default configuration, your friends will also receive spoofed emails in the Junk folder.
The most frustrating fact is that if a spoofed message came from brand domain email for which Microsoft shows sender avatar (e.g. Paypal, Twitter, Adobe, Apple) the spoofed messages received in Junk also shows genuine sender avatar, which may confuse you and make to believe that email came from a legitimate sender.
Why is it so? You can find a description of how Microsoft handles Exchange Online inbound emails, that fails DMARC check, in their official knowledge base.
“If the DMARC policy of the sending server is p=reject, EOP marks the message as spoof instead of rejecting it. In other words, for inbound email, Microsoft 365 treats p=reject and p=quarantine the same way. Admins can define the action to take on messages classified as spoof within the anti-phishing policy.
Microsoft 365 is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list that then relays the message to all list participants. If Microsoft 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected”.
How to reject non-authenticated emails on Exchange?
Meanwhile, the handling of spoofed emails delivery to free Outlook / Hotmail mailboxes is solely in Microsoft hands, companies that use Microsoft 365 / EO can configure Exchange to reject non-authenticated emails received from domains protected with DMARC “reject” policy.
If your organization uses Microsoft 365 / EO and your domain is protected with DMARC “reject” policy, your Exchange administrator can configure it to reject non-authenticated emails, thus protecting your company users from receiving phishing emails sent on your domain behalf.
Let’s look at headers of messages received into Exchange Online from domains that have different DMARC policies set.
no DMARC record exists
Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)
header.d=xxxd.net;yyy.com; dmarc=none action=none header.from=zzz.edu;compauth=fail reason=001
DMARC record with “none” policy
Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)
header.d=xxx.net;yyy.com; dmarc=fail action=none header.from=zzz.org;compauth=fail reason=001
DMARC record with “quarantine” policy
Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)
header.d=xxx.net;yyy.com; dmarc=fail action=quarantine header.from=zzz.gov;compauth=fail reason=000
DMARC record with “reject” policy
Authentication-Results: spf=pass (sender IP is n.n.n.n) smtp.mailfrom=xxx.net; yyy.com; dkim=pass (signature was verified)
header.d=xxx.net;yyy.com; dmarc=fail action=oreject header.from=zzz.edu;compauth=fail reason=000
NOTE: Microsoft 365 message header field description can be found here.
As you can see from the above-listed headers it is possible to identify non-authenticated inbound emails from a domain with “reject” policy by “dmarc=fail action=oreject” string.
Here are the steps to configure the Exchange rule to reject such inbound emails:
- Login to Exchange Online portal
- Go to Mail Flow -> Rules
- Click on “More Options…” to show advanced settings
- Name the rule
- in “Apply this rule if…” dropdown select “A message header…” and choose “includes any of these words”
- in “specify header name” box type Authentication-Results
- in “specify words or phrases” box type dmarc=fail action=oreject and add
- then, in “Do the following…” dropdown select “Block the message…” and choose “reject the message and include an explanation
- after that, type explanation message text, e.g. “Unauthenticated email is not accepted due to sender’s domain’s DMARC policy”
- if you do not wish to send an explanation message to sender you can choose “delete the message without notifying anyone”
Now, if you try to send a spoofed email to Microsoft 365 / EO mailbox you will receive a non-delivery report, similar to one in the screenshot.
Similarly, the report with bounced email also contains the line with diagnostic error code:
Reported error: 550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy
