You have successfully implemented SPF, DKIM, and DMARC in your environment. But DMARC fails from your domain lands in the junk folder of a user in Exchange Online instead of rejecting it. What now?
Part 1: Root cause
SPF, DKIM, and DMARC on p=reject are running in your environment and you assume that the most unauthorized emails will be blocked by DMARC because the policy is on reject.
Then a user comes to you and tells you he has a junk email from your domain. While analyzing the header, you should find in the Authentication-Results that DMARC is failed, but with action reason “oreject”. In this case, Microsoft 365 uses this action when it receives a message that fails the DMARC check from a domain whose DMARC record has a policy of p=reject. Instead of deleting or rejecting the message, Microsoft 365 marks the message as spam.
This means that if an email fails the DMARC check and the policy is p=reject, M365 overrides the action from <dmarc=fail action=reject> to <dmail=fail action=oreject> and marks it as spam instead of deleting the message.
Part 2: Why is Microsoft doing this?
M365 is configured like this because some legitimate emails may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list, that relays the message to all participants. If Microsoft 365 rejected these messages, people could lose legitimate emails and have no way to retrieve them. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected.
Part 3: How to change this:
If you want more control of DMARC fails from your domain from unauthenticated senders, and do not want it to land in the junk folder of your end users, then turn on spoof intelligence in the ATP-Anti phishing policy.
You can turn on spoof intelligence by following these steps:
- Login to https://security.microsoft.com/antiphishing
- Open your ATP-Anti phishing policy
- Under ‘Phishing threshold & protection’
- Edit protection settings
- Enable spoof intelligence
- Under ‘Actions’,
- Edit actions
- If message is detected as spoof
- Quarantine the message
- Check ‘Unauthenticated senders symbol (?) for spoof’ also.
If these steps are completed then Spoof intelligence is turned on which means that DMARC fails with action=oreject are going to be moved to quarantine from now on