Forum Discussion

Robert Woods's avatar
Robert Woods
Iron Contributor
Jul 11, 2018

Spoofed email from @micrsoft.com landed in my VP's inbox.

Spoofed email from @micrsoft.com landed in my VP's inbox. How? Headers indicate dmarc failure, but Microsoft's Reject Policy was not respected by their own servers, then the mail was delivered direct...
exchange online
Robert Woods's avatar
Robert Woods
Iron Contributor
Jul 11, 2018

Support says they see a rule that may be causing the issue in the Mailbox that I can not see when viewing the rules online. They want me to use MFCMAPI tomorrow to try to locate the rule and remove it. They are not sure this is the root cause but they want to try it anyway. They state it is a rule called Junk Email Rule, with no actions associated with it. 

 

Not sure why this would apply, because DMARC failures for Micrsoft.com should result in a straight up reject from the server at time of delivery according to their published policy.

 

https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3amicrosoft.com&run=toolpage 

 

v=DMARC1; p=reject; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; fo=1
Tag TagValue Name Description
vDMARC1VersionIdentifies the record retrieved as a DMARC record. It must be the first tag in the list.
prejectPolicyPolicy to apply to email that fails the DMARC test. TagValue can be 'none', 'quarantine', or 'reject'.
pct100PercentageThe percentage tag tells receivers to only apply policy against email that fails the DMARC check X amount of the time.
ruamailto:d@rua.agari.comReceiversList of URIs for receivers to send XML feedback to. URIs are required to be added in the format of 'mailto:address@example.com'.
rufmailto:d@ruf.agari.comForensic ReceiversList of URIs for receivers to send Forensic reports to. URIs are required to be added in the format of 'mailto:address@example.com'.
fo1Forensic ReportingForensic reporting options. The value of this tag is a colon-separated list of characters. Possible values: (0) to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result, (1) to generate reports if any mechanisms fail, (d) to generate report if DKIM signature failed to verify, (s) if SPF failed. If no ruf tag is specified, this tag will be ignored.

Resources