Domain-based Message Authentication, Reporting & Conformance (DMARC) is a standard that helps prevent spoofing by verifying the sender’s identity. If an email fails DMARC validation, it often means that the sender is not who they claim to be, and the email could be fraudulent.
The ‘p=’ value (this stands for “policy”) in a DMARC TXT DNS record represents the sender’s policy for their domain. It tells the receiver what to do if an email fails DMARC validation. There are three possible values for the policy: none, quarantine, and reject. This helps the sender protect their reputation and brand from being spoofed and helps the recipient avoid emails from unverified senders.
Today, we are announcing important changes to our DMARC policy handling that affect both consumer and enterprise customers.
For our consumer service (live.com / outlook.com / hotmail.com), we have changed our DMARC policy handling to honor the sender’s DMARC policy. If an email fails DMARC validation and the sender’s policy is set to p=reject or p=quarantine, we will reject the email.
For our enterprise customers, you can now choose how to handle emails that fail DMARC validation and choose different actions based on the policy set by the domain owner, such as p=reject or p=quarantine. If the recipient domain's MX record points to Office 365, by default, we will honor the sender’s DMARC policy and reject (p=reject) or quarantine (p=quarantine) the email as instructed. However, you can change this behavior and specify different actions for different policies in the Anti-Phishing policy section of the Microsoft 365 Defender portal. Note that if the tenant recipient domain's MX record points to a different email security solution that sits in front of Office 365, then 'Honor DMARC' will not be applied because the information about the sending infrastructure is likely affected by the complex mail flow routing. However, if enhanced filtering for connectors is enabled, we do apply “Honor DMARC” even when MX is pointed to 3rd party, and it will be treated as normal incoming message.
We’ve already begun rolling out the new policies, starting July 19, 2023, we’re will continue to rollout them out to our government and 21Vianet clouds. As stated in Message Center posts MC640228 (worldwide and government clouds) and MC640225 (21Vianet), you have until mid-August to modify the policies before they’re enforced.
For messages that fail DMARC validation where the policy is reject and this action is taken on the message, the sender will receive a non-delivery report (NDR) with the following message (using contoso.com as an example):
550 5.7.509: Access denied, sending domain contoso.com does not pass DMARC verification and has a DMARC policy of reject
We encourage you to review your DMARC settings and customize if needed to benefit from improved email security and deliverability.
Learn more:
- (DNS Configuration) Use DMARC to validate email.
- (Security Policies Configuration) Spoof protection and sender DMARC policies in Anti-phishing policies in Microsoft 365 Defender
- (Troubleshooting) 550 5.7.509 and Why does DMARC fail: Email non-delivery report (NDR) and SMTP errors in Exchange Online
- (Blog) Email Protection Basics in Microsoft 365: Spoofing and Impersonation
Microsoft Defender for Office 365 team
