top of page
Search

How spear phishing emails can still reach inboxes despite failure of SPF, DKIM, and DMARC?

Microsoft 365 by default treats inbound emails from domains with DMARC reject policies the same way it would treat emails from domains with DMARC quarantine policies. In simple words, Microsoft 365 treats p=reject and p=quarantine equally for inbound email. Emails that fail the DMARC check are not rejected by Microsoft 365 in order to:

  • Avoid false negatives caused by email forwarding scenarios and mailing list usage.

  • Avoid legitimate emails being rejected due to sender configuration issues.


More information on how Microsoft 365 manages incoming email that fails DMARC can be found here.


Administrators can configure an anti-phishing policy to specify what should happen when emails are flagged as "spoof," but none of these options include rejecting the email with an error message.

After all, a domain owner who underwent the procedure of deploying a DMARC policy of reject would want to be informed when emails are being rejected. You might also want to reject emails that fail DMARC because your domain is being spoofed. This can be achieved with the help of an Exchange mail flow rule.


Step-by-Step Guide to Setting Up a Transport Rule in Microsoft 365 to Quarantine Unauthorized Emails.


1. Go to https://admin.exchange.microsoft.com/ to access the Exchange admin Centre.

2. On the left menu, select Mail flow -> Rules.

3. Create a new rule and give it a recognizable name, such as DMARC Action Reject.

4. Click on More Options at the bottom of the rule configuration window.



5. Create a new rule and give it a recognizable name, such as DMARC Action Reject.

6. In the Apply this rule if (drop-down), select A message header includes option.

7. Type in the name of the header and what we are looking for as per the following screenshot.

8. Select the Reject the message with the explanation option in the Do the following

(drop-down) menu. Specify a short, clear message regarding DMARC being the cause of the

rejection.



9. Be sure to keep the Match sender address in message option set to Header.



With the above rule enabled, a message rejected by this rule will generate a delivery status notification for the sender with the following message:

Your message to recipient@example.com couldn’t be delivered.

You will notice that a key component of this rule to clarify the reason for rejection to the sender is the explanation text.

A Microsoft 365 mail flow rule can be an extremely useful tool. You can also specify a different action here, such as redirecting to an administrator for review as a way to test the rule before setting the action to reject emails. To restrict the rule's application to certain people or domains, you can also add sender or recipient conditions.

Once the rule is activated, you can check its status by going to the Exchange Transport Rule report page in the Exchange Admin Centre.

Please feel free to get in touch with us if you have any queries about implementing this rule.

21 views0 comments

Comments


bottom of page