Announcing New DMARC Policy Handling Defaults for Enhanced Email Security

Hi The_Exchange_Team - Loh_CS raises a good question. At present the 'Spoof and DMARC Policy' settings do not have their own quarantine policy, but instead use 'the quarantine policy that's selected for spoof intelligence'.

The quarantine policy defaults to 'DefaultFullAccessPolicy', which does not send notifications. The spoof intelligence quarantine policy is visible below both Spoof and DMARC policies when viewing the policy:

However, the option to edit the spoof/DMARC quarantine policy is not available when trying to edit the policy, unless 'If the message is detected as spoof by spoof intelligence' (set to 'Move to Junk Email' by default) is set to 'Quarantine the message')

If someone wants to set the quarantine policy for either or both of the new 'spoof and DMARC policy' settings, but not to change the 'spoof intelligence' action away from Junk Email, the only way to achieve this at present seems to be via PowerShell, e.g.

Connect-ExchangeOnline

Set-AntiPhishPolicy -Identity "Office365 AntiPhish Default" -SpoofQuarantineTag DefaultFullAccessWithNotificationPolicy

 (At one point the GUI seemed to be always setting the SpoofQuarantineTag back to DefaultFullAccessPolicy if the 'spoof intelligence' setting was 'Junk Email' but it looks like you may have fixed that.)

Please can you update the Microsoft 365 Defender Web Portal so the Spoof Intelligence quarantine policy appears when you try to edit the policy when any of 'DMARC policy is set as p=quarantine', 'DMARC policy is set as p=reject' OR 'spoof intelligence' are 'Quarantine the message', so that Microsoft 365 Defender web portal users can easily set this policy while leaving 'spoof intelligence' at the default, allowing end users can receive notifications when DMARC policies fail?

I would say that DMARC policies should really have their own 'quarantine tags' rather than re-using 'spoof intelligence', but that's more development work.