{"id":51364,"date":"2025-09-05T13:48:00","date_gmt":"2025-09-05T13:48:00","guid":{"rendered":"https:\/\/easydmarc.com\/blog\/?p=51364"},"modified":"2026-03-18T04:12:03","modified_gmt":"2026-03-18T04:12:03","slug":"dmarc-p-reject-microsoft-365-fix","status":"publish","type":"post","link":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/","title":{"rendered":"The SCL:-1 Loophole: Why DMARC Reject Doesn\u2019t Stop Internal Spoofing in Microsoft 365"},"content":{"rendered":"\n<p>Many admins assume that publishing p=reject in their DMARC record guarantees spoofed messages will be blocked. In reality, Microsoft 365\u2019s Exchange Online Protection (EOP) doesn\u2019t always honor DMARC policy out of the box.<br \/><\/p>\n\n\n\n<p>This article explains why internal spoofing sometimes bypasses DMARC, how to detect it in headers, and what configuration changes you need to enforce it properly.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-dmarc-p-reject-doesn-t-always-work\">Why DMARC p=reject Doesn\u2019t Always Work<\/h2>\n\n\n\n<p>DMARC depends on alignment of SPF or DKIM with the domain in the From: header. If neither aligns, and the DMARC policy is p=reject, the receiver should reject the message.<\/p>\n\n\n\n<p>But in Microsoft 365:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Spam Confidence Level (SCL) values can override filtering.<\/li>\n\n\n\n<li>If a message is stamped with SCL:-1 (\u201ctrusted\u201d), it bypasses spam filtering, including DMARC.<\/li>\n\n\n\n<li>Misconfigured inbound connectors, allow lists, or spoof intelligence can cause SCL:-1 to be applied, allowing spoofed mail to slip past.<\/li>\n\n\n\n<li>On top of that, many legacy Microsoft 365 tenants (or tenants created before Microsoft started enforcing DMARC more consistently) don\u2019t automatically honor<mark style=\"background-color:rgba(0, 0, 0, 0);color:#34b13e\" class=\"has-inline-color\"> p=reject<\/mark>. Unless the admin explicitly enables DMARC enforcement in Anti-phishing policies and org settings, spoofed messages can still be delivered despite the sending domain publishing a reject policy.<\/li>\n<\/ul>\n\n\n\n<p>This is why internal spoofing \u2014 a bad actor sending as <mark style=\"background-color:rgba(0, 0, 0, 0);color:#2f9b34\" class=\"has-inline-color\">user@yourdomain.com<\/mark> \u2014 can succeed even with DMARC reject published.<br \/>2f9b34<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-1-verify-and-fix-rejectdirectsend\">Step 1: Verify and Fix RejectDirectSend<\/h3>\n\n\n\n<p>Run this in PowerShell to check the setting:<\/p>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0);color:#309434\" class=\"has-inline-color\">Get-OrganizationConfig | fl Identity,RejectDirectSend<\/mark><\/p>\n\n\n\n<p>If it shows <mark style=\"background-color:rgba(0, 0, 0, 0);color:#2c9b48\" class=\"has-inline-color\">RejectDirectSend : False<\/mark>, update it with:<\/p>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0);color:#2d9c27\" class=\"has-inline-color\">Set-OrganizationConfig -RejectDirectSend $true<\/mark><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"152\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.00.54-PM-1-1024x152.png\" alt=\"\" class=\"wp-image-51368\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.00.54-PM-1-1024x152.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.00.54-PM-1-300x45.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.00.54-PM-1-768x114.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.00.54-PM-1-1536x228.png 1536w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.00.54-PM-1-1200x178.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.00.54-PM-1.png 1804w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>This forces Exchange Online to block any unauthenticated direct-to-MX traffic trying to impersonate your domain, closing one of the most common internal spoofing gaps.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-2-verify-if-eop-honors-dmarc\">Step 2: Verify If EOP Honors DMARC<\/h3>\n\n\n\n<p>Next, confirm that your EOP\/Defender anti-phishing policy is set to respect the published DMARC policy of external domains. You need to check in the Microsoft 365 Security &amp; Compliance Center:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to<a href=\"https:\/\/login.microsoftonline.com\/common\/oauth2\/authorize?client_id=80ccca67-54bd-44ab-8625-4b79c4dc7775&amp;response_type=code%20id_token&amp;scope=openid%20profile&amp;state=OpenIdConnect.AuthenticationProperties%3D-PR45sIsfsUJmulTSJm8rLC3l25REBLd6nnOFxDKC8piDmkAYRgSvr8oYcQZGn4n7cyEvrFkDoQV1lH3pAvxpYmvINR8B4inVJOtKJKdZH8SYjbl1DEeQJDX4NS7vBQmQmLIciFNl3ylzX0S2Lp-EQ&amp;response_mode=form_post&amp;nonce=639034575101925047.MTY3NTk0ZjItY2QxZi00NzMxLThhNzgtNmRmYjU3OWJjMmU4YjdlNjliZDktNTViZS00YjJkLWI3ZmMtZjgxZDI3ZWFjMGRk&amp;client-request-id=9a074d65-9e51-4125-9b28-3f8ea05390e0&amp;redirect_uri=https%3A%2F%2Fsecurity.microsoft.com%2F&amp;x-client-SKU=ID_NET472&amp;x-client-ver=8.3.0.0\" target=\"_blank\" rel=\"noreferrer noopener\">security.microsoft.com<\/a><\/li>\n\n\n\n<li>Navigate to Email &amp; collaboration \u2192 Policies &amp; rules \u2192 Threat policies \u2192 Anti-phishing<\/li>\n\n\n\n<li>Under Actions for authentication failures, make sure the settings are the same as the screenshot below<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"727\" height=\"1024\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.03.50-PM-727x1024.png\" alt=\"\" class=\"wp-image-51372\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.03.50-PM-727x1024.png 727w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.03.50-PM-213x300.png 213w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.03.50-PM-768x1082.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.03.50-PM-1090x1536.png 1090w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.03.50-PM.png 1150w\" sizes=\"(max-width: 727px) 100vw, 727px\" \/><\/figure>\n\n\n\n<p>This ensures that your tenant is actually enforcing the sender\u2019s DMARC policy instead of allowing spoofed mail.<\/p>\n\n\n\n<p>To adjust the settings, follow our article here: <a href=\"https:\/\/easydmarc.com\/blog\/dmarc-and-microsoft\/\">https:\/\/easydmarc.com\/blog\/dmarc-and-microsoft\/<\/a><\/p>\n\n\n\n<p>Without these settings, EOP won\u2019t enforce DMARC rejects.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-3-review-allowlists-custom-rules-and-connectors\">Step 3: Review Allowlists, Custom Rules, and Connectors<\/h3>\n\n\n\n<p>Even if DMARC enforcement is enabled, custom mail flow rules or allowlists can silently override it. These are the most common causes of internal spoof bypass.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Mail Flow Rules (Transport Rules)<br \/>\n<ul class=\"wp-block-list\">\n<li>Check under <a href=\"https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/authorize?client_id=497effe9-df71-4043-a8bb-14cf78c4b63b&amp;redirect_uri=https%3A%2F%2Fadmin.exchange.microsoft.com%2Fsignin-oidc&amp;response_type=code&amp;scope=openid%20profile%20offline_access&amp;code_challenge=xUkodvcCyxl0EHJLuPp7OL1rYFEVddWh0CmlqwkrR0w&amp;code_challenge_method=S256&amp;response_mode=form_post&amp;nonce=639034663702643171.NGZmMGFlNzktNWEyZC00OThlLTg5YWYtZjUyNjkwOWE1Mjk3NDNhNTgzNWItYmRkMy00Yzk1LTkxYzAtNzdiMzI1ZmZjMWMz&amp;client_info=1&amp;x-client-brkrver=IDWeb.3.8.4.0&amp;state=CfDJ8I5v3_EOgsBLmbZbE0Ue-ku79ltOySfZWJ0e8hCI14mZDfcMo-d1onWO9H6A1_oedfiiaAVq7iursMljl1IOtVBb2MZ3dGhEJoEV2_VwbfWz_JhcI8CuibJ27TPARJjcUxAIaKgXHdenck6YiTW9g66Oe9vlfHB4tKc6t94n2Kgb4_vvtQJU2pA4F5IfnO8k9qOO4f5FkwfMgYFwYMSMjUCAXVQOZwferfdHLkCutu0FjL_oybKfW8IzzNiO6NpKkiDsy5ozIMDZzaZbCM5p33pJxlzbpxrVGs86KUREtjwx-YydcUIGOInpdWlBHD4Nj1xCbyGYj4apjuaUbcqUpL-JlIQ_dlrM5VGPQqv36rinB5u-PZafxvXkotKyeBLbz4KstmNpSigFoEPRaAqTKHE&amp;x-client-SKU=ID_NET8_0&amp;x-client-ver=8.9.0.0\" target=\"_blank\" rel=\"noreferrer noopener\">Exchange Admin Center<\/a> \u2192 Mail Flow \u2192 Rules<br \/><\/li>\n\n\n\n<li>Look for rules that:<br \/>\n<ul class=\"wp-block-list\">\n<li>\u201cBypass spam filtering\u201d<br \/><\/li>\n\n\n\n<li>\u201cSet the spam confidence level (SCL) to -1\u201d<br \/><\/li>\n\n\n\n<li>\u201cAlways deliver to inbox\u201d<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"681\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.25.46-PM-1024x681.png\" alt=\"\" class=\"wp-image-51377\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.25.46-PM-1024x681.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.25.46-PM-300x200.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.25.46-PM-768x511.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.25.46-PM-1536x1022.png 1536w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.25.46-PM-2048x1363.png 2048w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.25.46-PM-1200x798.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.25.46-PM-1980x1318.png 1980w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><em>In this screenshot, there\u2019s no set Rules.<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Allowed Domains or Senders\n<ul class=\"wp-block-list\">\n<li>Check under <a href=\"https:\/\/security.microsoft.com\/antispam\" target=\"_blank\" rel=\"noreferrer noopener\">Security portal<\/a> \u2192 Policies &amp; rules \u2192 Threat policies \u2192 Anti-spam \u2192 Allowed\/Blocked senders &amp; domains<\/li>\n\n\n\n<li>If your own domain is listed in \u201cAllowed,\u201d spoofed mail will bypass DMARC.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"664\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.34.43-PM-1024x664.png\" alt=\"\" class=\"wp-image-51381\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.34.43-PM-1024x664.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.34.43-PM-300x195.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.34.43-PM-768x498.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.34.43-PM-1536x996.png 1536w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.34.43-PM-2048x1328.png 2048w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.34.43-PM-1200x778.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.34.43-PM-1980x1284.png 1980w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Spoof Intelligence Overrides\n<ul class=\"wp-block-list\">\n<li>Go to <a href=\"https:\/\/security.microsoft.com\/threatpolicy\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Security portal<\/a> \u2192 Policies &amp; rules \u2192 Threat policies \u2192 Tenant Allow\/Block Lists<\/li>\n\n\n\n<li>If someone clicked Allow on a spoofed sender, it effectively disables DMARC for that sender.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"390\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.38.18-PM-1024x390.png\" alt=\"\" class=\"wp-image-51384\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.38.18-PM-1024x390.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.38.18-PM-300x114.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.38.18-PM-768x292.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.38.18-PM-1536x585.png 1536w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.38.18-PM-2048x780.png 2048w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.38.18-PM-1200x457.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.38.18-PM-1980x754.png 1980w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Connectors and Gateways<\/li>\n<\/ul>\n\n\n\n<p>Misconfigured inbound connectors can also cause SCL:-1. If Microsoft thinks the mail is \u201cinternal,\u201d it won\u2019t apply DMARC.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to<a href=\"https:\/\/admin.exchange.microsoft.com\/#\/connectors\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"> Exchange Admin Center \u2192 Mail flow \u2192 Connectors<\/a><\/li>\n\n\n\n<li>Review connectors from third-party gateways (Proofpoint, Mimecast, Barracuda, etc.).<\/li>\n\n\n\n<li>Set them as a Partner Organization<\/li>\n\n\n\n<li>Do not use \u201cFrom your organization\u201d unless the connector is truly for internal relays (e.g., hybrid Exchange servers).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-4-analyze-message-headers\">Step 4: Analyze Message Headers<\/h3>\n\n\n\n<p>Headers reveal why a spoofed email was delivered or blocked.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authentication-Results\n<ul class=\"wp-block-list\">\n<li>spf, dkim, dmarc \u2192 individual checks<\/li>\n\n\n\n<li>compauth \u2192 Microsoft\u2019s combined verdict<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ol class=\"wp-block-list\">\n<li><\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"199\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.46.24-PM-1024x199.png\" alt=\"\" class=\"wp-image-51387\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.46.24-PM-1024x199.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.46.24-PM-300x58.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.46.24-PM-768x149.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.46.24-PM-1536x299.png 1536w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.46.24-PM-1200x233.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.46.24-PM-1980x385.png 1980w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.46.24-PM.png 2016w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><em>As you can see in the screenshot, SPF failed, DKIM was not present, DMARC failed, and the domain\u2019s policy was p=reject (<code>action=oreject<\/code>). Normally, this message should have been rejected.<\/em><\/p>\n\n\n\n<p><em><strong>However<\/strong>, it was still delivered because <code>compauth=none<\/code> indicates Microsoft\u2019s Composite Authentication engine bypassed DMARC enforcement due to a tenant-level trust override (for example, an allowlist, connector misconfiguration, or an SCL:-1 rule) as you will see below.<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>X-Forefront-Antispam-Report \u2192 SCL<br \/>Microsoft\u2019s spam confidence levels:\n<ul class=\"wp-block-list vg_transparent_circle\">\n<li>-1 = Trusted (bypasses all filtering)<\/li>\n\n\n\n<li>0\u20131 = Low suspicion<\/li>\n\n\n\n<li>5\u20136 = Likely spam<\/li>\n\n\n\n<li>9 = High confidence spam<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If you see SCL:-1, it means DMARC was bypassed by a policy or rule.<\/li>\n\n\n\n<li>If you see AuthAs: Anonymous, it indicates the email came in without authentication. If paired with DMARC fail and SCL:-1, it confirms a spoof bypass.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"364\" src=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.49.18-PM-1024x364.png\" alt=\"\" class=\"wp-image-51390\" srcset=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.49.18-PM-1024x364.png 1024w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.49.18-PM-300x107.png 300w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.49.18-PM-768x273.png 768w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.49.18-PM-1536x546.png 1536w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.49.18-PM-2048x728.png 2048w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.49.18-PM-1200x427.png 1200w, https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-22-at-2.49.18-PM-1980x704.png 1980w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-5-deploy-fixes-to-enforce-dmarc-properly\">Step 5: Deploy Fixes to Enforce DMARC Properly<\/h3>\n\n\n\n<p>To stop internal spoofing:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Confirm RejectDirectSend = True (Step 1).<\/li>\n\n\n\n<li>Enable DMARC enforcement in Anti-Phishing policies (Step 2).<\/li>\n\n\n\n<li>Clean up rules and allowlists that can stamp SCL:-1 (Step 3).<\/li>\n\n\n\n<li>Test by sending spoof simulations from external systems and confirm they are rejected.<br \/><\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-key-takeaway\">Key Takeaway<\/h2>\n\n\n\n<p>DMARC enforcement in Microsoft 365 is not just about publishing p=reject.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If Direct Send is allowed, attackers can spoof your own domain.<\/li>\n\n\n\n<li>If Anti-Phishing doesn\u2019t honor DMARC, spoofed emails slip through.<\/li>\n\n\n\n<li>If rules or allowlists trigger SCL:-1, filtering is bypassed entirely.<\/li>\n<\/ul>\n\n\n\n<p>By checking these areas and analyzing headers, you can ensure Microsoft 365 truly respects DMARC p=reject and prevent internal spoofing from bypassing your defenses.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Many admins assume that publishing p=reject in their &#8230;<\/p>\n","protected":false},"author":25,"featured_media":51365,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[204,203],"tags":[],"class_list":["post-51364","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-email-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.6 (Yoast SEO v27.6) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Why DMARC p=reject Fails in Microsoft 365 &amp; How to Fix It | EasyDMARC<\/title>\n<meta name=\"description\" content=\"Microsoft 365 sometimes bypasses DMARC rejects. Learn how to analyze headers, fix settings, and enforce DMARC correctly.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The SCL:-1 Loophole: Why DMARC Reject Doesn\u2019t Stop Internal Spoofing in Microsoft 365\" \/>\n<meta property=\"og:description\" content=\"Microsoft 365 sometimes bypasses DMARC rejects. Learn how to analyze headers, fix settings, and enforce DMARC correctly.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/\" \/>\n<meta property=\"og:site_name\" content=\"EasyDMARC\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/EasyDMARC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-05T13:48:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-18T04:12:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/The-SCL_-1-Loophole_-Why-DMARC-Reject-Doesnt-Stop-Internal-Spoofing-in-Microsoft-365.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1440\" \/>\n\t<meta property=\"og:image:height\" content=\"910\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Hagop K.\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@easydmarc\" \/>\n<meta name=\"twitter:site\" content=\"@easydmarc\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Hagop K.\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/\"},\"author\":{\"name\":\"Hagop K.\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#\\\/schema\\\/person\\\/740e38b8d7f98e6c4141ae2931ca5a2a\"},\"headline\":\"The SCL:-1 Loophole: Why DMARC Reject Doesn\u2019t Stop Internal Spoofing in Microsoft 365\",\"datePublished\":\"2025-09-05T13:48:00+00:00\",\"dateModified\":\"2026-03-18T04:12:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/\"},\"wordCount\":859,\"publisher\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/The-SCL_-1-Loophole_-Why-DMARC-Reject-Doesnt-Stop-Internal-Spoofing-in-Microsoft-365.jpg\",\"articleSection\":[\"Blog\",\"Email Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/\",\"url\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/\",\"name\":\"Why DMARC p=reject Fails in Microsoft 365 & How to Fix It | EasyDMARC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/The-SCL_-1-Loophole_-Why-DMARC-Reject-Doesnt-Stop-Internal-Spoofing-in-Microsoft-365.jpg\",\"datePublished\":\"2025-09-05T13:48:00+00:00\",\"dateModified\":\"2026-03-18T04:12:03+00:00\",\"description\":\"Microsoft 365 sometimes bypasses DMARC rejects. Learn how to analyze headers, fix settings, and enforce DMARC correctly.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/#primaryimage\",\"url\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/The-SCL_-1-Loophole_-Why-DMARC-Reject-Doesnt-Stop-Internal-Spoofing-in-Microsoft-365.jpg\",\"contentUrl\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/08\\\/The-SCL_-1-Loophole_-Why-DMARC-Reject-Doesnt-Stop-Internal-Spoofing-in-Microsoft-365.jpg\",\"width\":1440,\"height\":910,\"caption\":\"image for The SCL:-1 Loophole: Why DMARC Reject Doesn\u2019t Stop Internal Spoofing in Microsoft 365\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/dmarc-p-reject-microsoft-365-fix\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/easydmarc.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/category\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"The SCL:-1 Loophole: Why DMARC Reject Doesn\u2019t Stop Internal Spoofing in Microsoft 365\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/\",\"name\":\"EasyDMARC\",\"description\":\"Blog\",\"publisher\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/#organization\",\"name\":\"EasyDMARC\",\"url\":\"https:\\\/\\\/easydmarc.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/easydmarc.com\\\/img\\\/logo.png\"},\"image\":{\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/EasyDMARC\\\/\",\"https:\\\/\\\/x.com\\\/easydmarc\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/easydmarc\\\/mycompany\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/#\\\/schema\\\/person\\\/740e38b8d7f98e6c4141ae2931ca5a2a\",\"name\":\"Hagop K.\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/bb6e65e2ae3c6e57f798515a978995b899d1d972034c909397efad978249be85?s=96&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/bb6e65e2ae3c6e57f798515a978995b899d1d972034c909397efad978249be85?s=96&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/bb6e65e2ae3c6e57f798515a978995b899d1d972034c909397efad978249be85?s=96&r=g\",\"caption\":\"Hagop K.\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/in\\\/hagopkhatchoian\\\/\"],\"url\":\"https:\\\/\\\/easydmarc.com\\\/blog\\\/author\\\/hagop-khatchoian\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Why DMARC p=reject Fails in Microsoft 365 & How to Fix It | EasyDMARC","description":"Microsoft 365 sometimes bypasses DMARC rejects. Learn how to analyze headers, fix settings, and enforce DMARC correctly.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/","og_locale":"en_US","og_type":"article","og_title":"The SCL:-1 Loophole: Why DMARC Reject Doesn\u2019t Stop Internal Spoofing in Microsoft 365","og_description":"Microsoft 365 sometimes bypasses DMARC rejects. Learn how to analyze headers, fix settings, and enforce DMARC correctly.","og_url":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/","og_site_name":"EasyDMARC","article_publisher":"https:\/\/www.facebook.com\/EasyDMARC\/","article_published_time":"2025-09-05T13:48:00+00:00","article_modified_time":"2026-03-18T04:12:03+00:00","og_image":[{"width":1440,"height":910,"url":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/The-SCL_-1-Loophole_-Why-DMARC-Reject-Doesnt-Stop-Internal-Spoofing-in-Microsoft-365.jpg","type":"image\/jpeg"}],"author":"Hagop K.","twitter_card":"summary_large_image","twitter_creator":"@easydmarc","twitter_site":"@easydmarc","twitter_misc":{"Written by":"Hagop K.","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/#article","isPartOf":{"@id":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/"},"author":{"name":"Hagop K.","@id":"https:\/\/easydmarc.com\/blog\/#\/schema\/person\/740e38b8d7f98e6c4141ae2931ca5a2a"},"headline":"The SCL:-1 Loophole: Why DMARC Reject Doesn\u2019t Stop Internal Spoofing in Microsoft 365","datePublished":"2025-09-05T13:48:00+00:00","dateModified":"2026-03-18T04:12:03+00:00","mainEntityOfPage":{"@id":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/"},"wordCount":859,"publisher":{"@id":"https:\/\/easydmarc.com\/blog\/#organization"},"image":{"@id":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/#primaryimage"},"thumbnailUrl":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/The-SCL_-1-Loophole_-Why-DMARC-Reject-Doesnt-Stop-Internal-Spoofing-in-Microsoft-365.jpg","articleSection":["Blog","Email Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/","url":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/","name":"Why DMARC p=reject Fails in Microsoft 365 & How to Fix It | EasyDMARC","isPartOf":{"@id":"https:\/\/easydmarc.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/#primaryimage"},"image":{"@id":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/#primaryimage"},"thumbnailUrl":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/The-SCL_-1-Loophole_-Why-DMARC-Reject-Doesnt-Stop-Internal-Spoofing-in-Microsoft-365.jpg","datePublished":"2025-09-05T13:48:00+00:00","dateModified":"2026-03-18T04:12:03+00:00","description":"Microsoft 365 sometimes bypasses DMARC rejects. Learn how to analyze headers, fix settings, and enforce DMARC correctly.","breadcrumb":{"@id":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/#primaryimage","url":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/The-SCL_-1-Loophole_-Why-DMARC-Reject-Doesnt-Stop-Internal-Spoofing-in-Microsoft-365.jpg","contentUrl":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/The-SCL_-1-Loophole_-Why-DMARC-Reject-Doesnt-Stop-Internal-Spoofing-in-Microsoft-365.jpg","width":1440,"height":910,"caption":"image for The SCL:-1 Loophole: Why DMARC Reject Doesn\u2019t Stop Internal Spoofing in Microsoft 365"},{"@type":"BreadcrumbList","@id":"https:\/\/easydmarc.com\/blog\/dmarc-p-reject-microsoft-365-fix\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/easydmarc.com\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/easydmarc.com\/blog\/category\/blog\/"},{"@type":"ListItem","position":3,"name":"The SCL:-1 Loophole: Why DMARC Reject Doesn\u2019t Stop Internal Spoofing in Microsoft 365"}]},{"@type":"WebSite","@id":"https:\/\/easydmarc.com\/blog\/#website","url":"https:\/\/easydmarc.com\/blog\/","name":"EasyDMARC","description":"Blog","publisher":{"@id":"https:\/\/easydmarc.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/easydmarc.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/easydmarc.com\/#organization","name":"EasyDMARC","url":"https:\/\/easydmarc.com\/","logo":{"@type":"ImageObject","url":"https:\/\/easydmarc.com\/img\/logo.png"},"image":{"@id":"https:\/\/easydmarc.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/EasyDMARC\/","https:\/\/x.com\/easydmarc","https:\/\/www.linkedin.com\/company\/easydmarc\/mycompany\/"]},{"@type":"Person","@id":"https:\/\/easydmarc.com\/blog\/#\/schema\/person\/740e38b8d7f98e6c4141ae2931ca5a2a","name":"Hagop K.","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/bb6e65e2ae3c6e57f798515a978995b899d1d972034c909397efad978249be85?s=96&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/bb6e65e2ae3c6e57f798515a978995b899d1d972034c909397efad978249be85?s=96&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/bb6e65e2ae3c6e57f798515a978995b899d1d972034c909397efad978249be85?s=96&r=g","caption":"Hagop K."},"sameAs":["https:\/\/www.linkedin.com\/in\/hagopkhatchoian\/"],"url":"https:\/\/easydmarc.com\/blog\/author\/hagop-khatchoian\/"}]}},"jetpack_featured_media_url":"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2025\/08\/The-SCL_-1-Loophole_-Why-DMARC-Reject-Doesnt-Stop-Internal-Spoofing-in-Microsoft-365.jpg","_links":{"self":[{"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/posts\/51364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/comments?post=51364"}],"version-history":[{"count":7,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/posts\/51364\/revisions"}],"predecessor-version":[{"id":59855,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/posts\/51364\/revisions\/59855"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/media\/51365"}],"wp:attachment":[{"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/media?parent=51364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/categories?post=51364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easydmarc.com\/blog\/wp-json\/wp\/v2\/tags?post=51364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}