Microsoft Honors DMARC Enforcement Policies
In July 2023, Microsoft, one of the world’s largest mailbox providers, beagn rolling out changes to DMARC functionality in consumer and enterprise email services. A Microsoft product manager said the rollout would be complete on September 25, 2023.
Microsoft Consumer Email Services
For consumer services (live.com, outlook.com, hotmail.com), Microsoft will now be treating the p=reject policy as intended; email failing DMARC authentication will not be delivered.
Our Deployment Director Asher Morin tested Microsoft’s DMARC functionality update, which revealed “that their consumer offering (e.g hotmail.com, outlook.com) is indeed now respecting a sender’s DMARC p=reject policy.”
Previously, Microsoft would treat a DMARC p=reject policy the same way as it did quarantine. The authentication-results header would show dmarc=fail action=oreject, which stands for override reject. “This no longer appears to be the case,” Asher reports. “Spoof tests showed a consistent permanent rejection (see below) each time for hotmail.com and Outlook recipients.”
550 5.7.509 Access denied, sending domain does not pass DMARC verification and has a DMARC policy of p=reject.
Microsoft Enterprise Email Services
For paid Microsoft 365 enterprise accounts, customers “can now choose how to handle emails that fail DMARC validation and choose different actions based on the policy set by the domain owner, such as p=reject or p=quarantine,” according to a July 19 announcement from Microsoft.
Consumer products such as outlook, hotmail, msn and live email addresses do not offer configuration options; similar to Gmail, it is on by default and follows the sending domain’s DMARC policy. Based on the September 2022 technical roadmap presentation from Microsoft, enterprise services are set to offer email administrators options that once enabled will apply an action based on the administrator’s preference. We look forward to being able to put those to the test.
dmarcian Deployment Director Asher Morin
“It is worth noting that the rollout has only just begun,” Asher says. “This means the change of honoring DMARC’s p=reject policy could potentially be reverted as Microsoft continues to evaluate their change.”
When the update is complete and honored, Microsoft customers will know precisely what to expect from their published DMARC p=reject policies, and the large swath of the email ecosystem managed by Microsoft will be consistent with the industry standard that DMARC represents.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.