Microsoft Office 365 by default will not reject any emails that fail DMARC even if the sender’s DMARC policy is set to reject. Microsoft Office 365 will treat DMARC policies of quarantine and reject in the same way, meaning that if the sender’s DMARC policy is set to reject or quarantine, the emails that fail DMARC will be sent to the spam folder of the recipient. Microsoft override DMARC failures with “action=oreject” which stands for override reject. This value can be found in the Authentication-Results header of the emails. We will use this header and text to reject emails that fail DMARC with a policy of reject.

Microsoft believe that doing this will prevent many legitimate emails from being lost and that is fair enough. However, we have found that most if not all of our customers would actually like to conform to the sender’s DMARC policy and reject emails that fail DMARC.

After some testing we have discovered that the above can be achieved by using a mail flow rule.

To demonstrate how this can be achieved we will use the following.

Sending domain to be spoofed: (protected by DMARC ie. p=reject)

Recipient domain:

Spoofer: Sendgrid

Email Header to be used: Authentication-Results

Value to look for in the header: oreject

Now, let’s begin!

Send a legitimate email

We will first of all send a legitimate email to see where it lands on the recipient’s side.

The legitimate email went straight to the Inbox folder as shown below.

Message header details extracted from the Authentication-Results header are shown below:

dmarc=pass action=none

Send a spoof email

Let’s now send a spoof email prior to the mail flow rule being created and see where it goes on the recipient’s side.

The spoof email went straight to the Spam folder as shown below.

Message header details extracted from Authentication-Results are shown below:

dmarc=fail action=oreject

We can also confirm on Sendgrid’s side that the spoof email was delivered as shown below.

Let’s create the mail flow rule

We will now create the rule, wait at least 30 minutes and send a spoof email again.

To create the rule:

Go to:

Click on mail flow on the left hand side

Click on the + and select “Create a new rule”

Click on More options at the bottom of the screen.

Give your rule a name

Then in the box that says Apply this rule if… From the dropdown menu choose “A message header includes any of these words”.

Click on “Enter text” as shown below

Type in “Authentication-Results” exactly as shown below and press OK.

Click on “Enter words” as indicated below.

Enter the following three phrases individually and press OK.

Then in the “Do the following…” box choose “Block the message…” and then choose any of the 3 options. In our test we chose “reject the message and include an explanation”.

At the end you will end up with a rule that looks the same or similar to the below screen.

Save your rule and allow up to 30 minutes for it to take effect. For more information on Exchange Online Mail flow rules please click on the button below.

Let’s send another legitimate email to make sure that everything is working as expected.

After sending another legitimate email we can see as shown below that it was delivered to the Inbox which confirms that our rule is not blocking legitimate emails from domains that are protected by DMARC.

Message header details extracted from Authentication-Results are shown below:

dmarc=pass action=none

Finally, let’s send another spoof email

Nothing was received in the Inbox or Spam folder so let’s see what Sendgrid is showing.

We can see on Sendgrid’s side that the spoof email was blocked this time:

If we dig deeper into the reason for blocking the email we can see the below which confirms that the mail flow rule is working.

Using EOP’s Message trace feature as well can show us that the spoof email was not delivered due to the same reason.

The Message Trace feature can be found next to the rules tab as shown below

At this point any spoof emails that are coming from a domain that is DMARC protected will not be delivered to the spam folder. They will all be rejected and never reach the recipient.

If you need help setting up DMARC for your domain or would like to find out a bit more how we can help, please don't hesitate to contact us.

Why not even create a free 14 day OnDMARC account using the button below.

Did this answer your question?