Reject inbound emails failing DMARC with Microsoft 365
By default, Microsoft 365 handles inbound emails failing DMARC for domains with a DMARC policy of reject the same way as if they had a policy of quarantine.
Read more here about how Microsoft 365 handles inbound email that fails DMARC.
Administrators can specify an action to be taken on emails classified as “spoof” through configuring an anti-phishing policy; however, none of these actions include rejecting the email with an error code.
After all, a domain owner who has gone through the process of deploying a DMARC policy of reject would want to be alerted of emails being rejected. You may also wish to reject emails failing DMARC where your own domain is being spoofed. This can be achieved through the use of an Exchange mail flow rule.
An email that failed DMARC where the domain has a reject policy published will be marked in the Authentication-Results headers by Microsoft 365 with the following:
The goal of the mail flow rule is to search for this specific text within the Authentication-Results header and reject the email with an error message. The action=oreject portion stands for override reject.
Here’s more from Microsoft on the Authentication-results message header.
Steps to Create the Mail Flow Rule
- Access the Exchange admin center at https://admin.exchange.microsoft.com/
- On the left menu, click on Mail flow -> Rules.
- Create a new rule and give it a recognizable name, such as DMARC Action Reject.
- Click on More Options at the bottom of the rule configuration window.
- In the Apply this rule if… drop-down, select A message header includes option.
- Type in the name of the header and what we are looking for as per the following screenshot.
- Select the Reject the message with the explanation… option in the Do the following… drop-down menu. Specify a short, clear message regarding DMARC being the cause of the rejection.
- Be sure to keep the Match sender address in message option set to Header.
- Click Save.
With the above rule enabled, a message rejected by this rule will generate a delivery status notification for the sender with the following message:
Your message to firstname.lastname@example.org couldn’t be delivered.
A custom mail flow rule created by an admin at example.com has blocked your message.
Rejected due to the sender domain DMARC policy
As you can see, the explanation text is an important aspect of this rule to help the sender understand the reason for the rejection.
A Microsoft 365 mail flow rule can be a powerful tool. Here you also have options to specify a different action, such as redirecting to an administrator to review as a means to test the rule prior to setting the action to reject emails. You can also add sender or recipient conditions to limit the scope of the rule to specific people or domains.
Once the rule is enabled, you can navigate to the Exchange Transport Rule report page in the Exchange admin center to review how it is performing.
If you have any questions about establishing this rule, feel free to contact us.
Want to continue the conversation? Head over to the dmarcian Forum.