SOLVED

As of February 2021, does EOP/Microsoft now send DMARC aggregate reports?

%3CLINGO-SUB%20id%3D%22lingo-sub-2115450%22%20slang%3D%22en-US%22%3EAs%20of%20February%202021%2C%20does%20EOP%2FMicrosoft%20now%20send%20DMARC%20aggregate%20reports%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2115450%22%20slang%3D%22en-US%22%3E%3CP%3EI%20believe%20I%20have%20spotted%20evidence%20that%20the%20answer%20is%20yes.%26nbsp%3B%20If%20you%20look%20at%20this%20%3CA%20href%3D%22https%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Fmsoffice%2Fforum%2Fmsoffice_o365admin-mso_security-mso_o365b%2Fdmarc-reporting-when-office-365-is-sitting-behind%2Fb704db5d-451e-4157-833d-88664ed39d9b%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eanswers.microsoft.com%20thread%3C%2FA%3E%26nbsp%3Bthe%20answer%20states%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3ETL%3BDR%3C%2FEM%3E%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3EOffice%20365%20currently%20does%20not%20send%20out%20any%20DMARC%20reports.%20If%20it%20was%20sending%20out%20Aggregate%20reports%2C%20being%20behind%20a%20Mimecast%20would%20still%20generate%20reports%20for%20emails%20not%20filtered%20by%20Mimecast%20(not%20SPAM%20or%20Phishing).%20They%20would%20probably%20contain%20a%20lot%20of%20failures%2C%20because%2C%20for%20Office%20365%2C%20the%20sending%20server%20will%20be%20Mimecast%2C%20which%20most%20likely%20is%20not%20added%20to%20the%20SPF%20of%20the%20sending%20domain.%20And%2C%20depending%20on%20what%20Mimecast%20is%20doing%20with%20the%20emails%2C%20the%20DKIM%20signature%2C%20if%20present%20at%20all%2C%20may%20be%20broken.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%2F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3B%26nbsp%3Bare%20you%20able%20to%20confirm%20if%20EOP%20does%20in%20fact%20now%20send%20DMARC%20aggregate%20reports%3F%26nbsp%3B%20Working%20with%20a%20customer%20whose%20MX%20records%20point%20to%20an%20on-premises%20mail%20gateway%2C%20and%20they're%20getting%20reports%20from%20affiliates%20who%20use%20DMARC%20in%20reporting%20mode%20that%20that%20their%20mail%20gateway%20is%20trying%20to%20send%20mail%20for%20them%2C%20unauthenticated'ly.%26nbsp%3B%20Essentially%20the%20exact%20issue%20that%20is%20alluded%20to%20in%20hypothetical%20terms%20in%20the%20quoted%20answer%20excerpt%20above.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2115450%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Edmarc%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEOP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2115864%22%20slang%3D%22en-US%22%3ERe%3A%20As%20of%20February%202021%2C%20does%20EOP%2FMicrosoft%20now%20send%20DMARC%20aggregate%20reports%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2115864%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174392%22%20target%3D%22_blank%22%3E%40Arindam%20Thokder%3C%2FA%3E%26nbsp%3B%20Thank%20you%20for%20confirming.%26nbsp%3B%20I%20also%20came%20into%20other%20findings%20which%20mooted%20my%20suspicion%20that%20it%20was%20Microsoft%2FEOP%20sending%20the%20reports.%26nbsp%3B%20That%20is%20to%20say%2C%20there%20were%20many%20other%20messages%20sent%20into%20EXO%20which%20should%2Fwould%20have%20been%20in%20the%20aggregate%20counts%20of%20said%20report%2C%20so%20it%20wasn't%20lining%20up%20like%20I%20thought.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2115833%22%20slang%3D%22en-US%22%3ERe%3A%20As%20of%20February%202021%2C%20does%20EOP%2FMicrosoft%20now%20send%20DMARC%20aggregate%20reports%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2115833%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3B-%20Not%20yet%20Jeremy.%20You%20found%20the%20right%20User%20Voice%20however%20there%20is%20no%20ETA%20yet.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2115764%22%20slang%3D%22en-US%22%3ERe%3A%20As%20of%20February%202021%2C%20does%20EOP%2FMicrosoft%20now%20send%20DMARC%20aggregate%20reports%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2115764%22%20slang%3D%22en-US%22%3EBTW%2C%20I%20found%20the%20UserVoice%20request%20where%20Microsoft%20has%20been%20requested%20to%20start%20sending%20the%20aggregate%20reports%2C%20and%20where%20%22Sean%20S%22%20confirms%20it%20is%20%22In%20the%20plans%22%20as%20of%20April%202020%20but%20with%20no%20ETA%20or%20update%20since%20then.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F11094318-dmarc-aggregate-reports-from-o365-domains%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F11094318-dmarc-aggregate-reports-from-o365-domains%3C%2FA%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

I believe I have spotted evidence that the answer is yes.  If you look at this answers.microsoft.com thread the answer states:

 

TL;DR

Office 365 currently does not send out any DMARC reports. If it was sending out Aggregate reports, being behind a Mimecast would still generate reports for emails not filtered by Mimecast (not SPAM or Phishing). They would probably contain a lot of failures, because, for Office 365, the sending server will be Mimecast, which most likely is not added to the SPF of the sending domain. And, depending on what Mimecast is doing with the emails, the DKIM signature, if present at all, may be broken.

 

@The_Exchange_Team / @Greg Taylor - EXCHANGE  are you able to confirm if EOP does in fact now send DMARC aggregate reports?  Working with a customer whose MX records point to an on-premises mail gateway, and they're getting reports from affiliates who use DMARC in reporting mode that that their mail gateway is trying to send mail for them, unauthenticated'ly.  Essentially the exact issue that is alluded to in hypothetical terms in the quoted answer excerpt above.

 

Thanks in advance.

6 Replies
BTW, I found the UserVoice request where Microsoft has been requested to start sending the aggregate reports, and where "Sean S" confirms it is "In the plans" as of April 2020 but with no ETA or update since then.
https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/11094318-dm...
best response confirmed by Jeremy Bradshaw (Frequent Contributor)
Solution

@Jeremy Bradshaw - Not yet Jeremy. You found the right User Voice however there is no ETA yet. 

@Arindam Thokder  Thank you for confirming.  I also came into other findings which mooted my suspicion that it was Microsoft/EOP sending the reports.  That is to say, there were many other messages sent into EXO which should/would have been in the aggregate counts of said report, so it wasn't lining up like I thought.

@Jeremy Bradshaw Now that Microsoft's Uservoice is dead, I'm curious where we should be pushing for this reporting to happen. It was an extremely popular Uservoice suggestion and never happened. The feedback options here are lackluster at best:
https://support.microsoft.com/en-us/topic/uservoice-pages-430e1a78-e016-472a-a10f-dc2a3df3450a?ui=en...

I think the only option after user voice is to hope enough support-subscribing customers have tickets related and somehow Microsoft decides this requested-service would help alleviate the tickets.

I think a big part of the problem is how customers' "hybrid" mail flow into EXO (or mail flow from 3rd party spam service in front of EXO) comes in the same way as all external email so the room for false positive reporting is maximized.
That makes sense. I wonder if they could find an elegant way to only report on messages that arrived to domains for which MX records point to Exchange Online. Might be too much overhead but it seems like that would solve the 3rd party hygiene problem.