Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Rule to quarantine emails with DKIM="none"

Copper Contributor

Currently our company is looking to clamp down on phishing emails coming through our domain, and have noticed many messages reported to us by our users have dkim="none" rather than pass or fail. While I am aware Defender automatically quarantines fails, I could not find anywhere detailing how to set up a rule sending emails with dkim="none" to quarantine as well.

 

Can this be done in Defender or Exchange Admin Center?

 

Any help is appreciated!

2 Replies

@Andrew_Bolz did you configure your domain to sign your email with DKIM ? 

If your senders (on premises systems and trusted third parties) have established IP ranges then you can have a mail flow rule:

if message is inbound
and sender domain is {yours, or any others you can protect using this method}
take action
except if sender IP is {your egress, your trusted third parties, etc}

Now the action can be to stamp the subject line, add a disclaimer header, divert the message to the hosted quarantine or a secops mailbox or just drop the message. It depends on how confident you are about those exception ranges and of course you should start with a non-intrusive action such as adding a header when you are first testing.

If comprehensively implementing DKIM is going to be a protracted struggle then this may give you a quicker solution.

Needless to say, ideally those IP ranges should already be in your domain SPF record with a good strong -all HARDFAIL at the end, but you may not be confident enough to make that statement. If the IP ranges are wobbly or dangerously inclusive then that is going to be a problem anyway.