Blog Post

Exchange Team Blog
1 MIN READ

Re: Introducing more control over Direct Send in Exchange Online

Alisdair Douglas's avatar
Alisdair Douglas
Icon for Microsoft rankMicrosoft
Aug 01, 2025

Restrictive DMARC policy is then the next part... O365 front door servers are acting just as any other mail server would in terms of accepting the connection. If MX points to EOP and HONOR DMARC is configured as per Announcing New DMARC Policy Handling Defaults for Enhanced Email Security | Microsoft Community Hub then unless a tenant level override is in place, action will be taken in line with policy action. if p=none then DMARC is in a report only mode, and though the mail could be marked as suspect it would depend on overall signals from the sending infrastructure

Published Aug 01, 2025
Version 1.0

4 Comments

  • jberg7120's avatar
    jberg7120
    Copper Contributor
    Aug 06, 2025

    Alisdiar,

    The problem we had with a spoofing attack is that DMARC was NOT honored in EOP.  Our MX record for our domain points to our 3rd party service, but the spoofing attack bypassed all that and went straight through microsoft.  The only part that makes sense this was possible that the attackers even knew we had a tenant was to use the 'mydomain-com.mail.onmicrosoft.com'.  I opened up a ticket on changing those MX records, but that was denied.  If we don't want anything MX record wise to point to our tenant, we need to be able to change these.

    • Arindam_Thokder's avatar
      Arindam_Thokder
      Icon for Microsoft rankMicrosoft
      Aug 06, 2025

      If you do not want anyone to bypass your MX which is pointed to a 3rd party service, you can achieved this by creating an Inbound connector as recommended on step 4 in the support article mail flow best practices when using a third-party cloud service with Exchange Online using either TlsSenderCertificateName (preferred) or SenderIpAddresses parameters (you need to mention the Certificate presented by the 3rd party or the IP Address of the 3rd party), then set the corresponding RestrictDomainsToCertificate or RestrictDomainsToIPAddresses parameters to $True. With this configured, only mail that passes through the inbound connector is allowed into your tenant, otherwise it will be rejected. To know more, please refer to What is Direct Send and how to secure it 

      • jberg7120's avatar
        jberg7120
        Copper Contributor
        Aug 06, 2025

        This is what we've done.  But in hindsight, we shouldn't have to do this.  I shouldn't see attempted messages being quarantined by EOP because some protocol or function was opened and available for an attacker to use which is why I'm stating about the .onmicrosoft.com MX records.   We should have control over the 'default inbound connector' and our tenant be treated like it's an on-premise system.  From a security standpoint, when things were on-premise we locked up our systems to only allow mail to come through 1 door and 1 door only for protection purposes this way everything is checked.  And YES I get that building this connector does help with that, but the fact I still see spoofing attempts in EOP tells me that someone is still able to bypass the correct mail flow.

  • Marcin K.'s avatar
    Marcin K.
    Brass Contributor
    Aug 04, 2025

    Hello Alisdair Douglas​ 

    If I understand it right - the "Honor DMARC record policy when the message is detected as spoof" option in Anti-phishing policy applies also to emails with company-owned domain in Mail from address, received via Direct Send - can you confirm this is correct? In other words - by setting "p" attribute in our own domain DMARC record, we can control how these "directly sent" messages are treated.

     

    Thank you in advance 

    Marcin