DMARC works alongside your SPF and DKIM configurations to correctly authenticate mail, report on mail and instruct your recipients mail servers on how they should hand mail with does not pass DMARC checks. There are two different policies you can configure with DMARC which advise the mail recipient how to handle DMARC failures, these are Quarantine and Reject.
A Quarantine policy advises the recipient to move DMARC failure emails to the local quarantine of the mail system. A Reject policy instructed the server to reject the email.
I use the term instructs as every different mail service may handle these policies differently depending on their configuration, however, most providers do follow a standard protocol.
Microsoft on the other hand, only recently, have started to honour the reject and quartine policies as they are stated by default, reject mail for a reject policy and quarantine mail for a quarantine policy.
How to modify the default DMARC policy
2. Expand Email & collaboration, the select Policies & rules > Threat policies.
3. Select Anti-phishing under Policies.
4. Click Create to create a new policy.
5. Define a name for your new policy and click Next.
6. Choose which users to include in this policy. For my policy, I have added my internal domain.
7. On the Phishing threshold & protection page, check the boxes next to Enable domains to protect and Include domains I own. All other settings can be left default on this page unless you wish to modify them. When you are ready, click Next.
8. On the Actions page, check the box next to Honor DMARC record policy when the message is detected as spoof. By default the DMARC record policy is already honored by Microsoft 365, however, to override these settings modify the actions under each heading highlighted in the screenshot below to meet your preference using the drop-down boxes.
9. When you are ready, click Submit, then Done.
Implicit vs Explicit email authentication checks
Microsoft has two different methods for checking the validity of incoming mail, these are called implicit checks and explicit checks.
Implicit checks are made up of the Spoof intelligence features within your anti-phishing threat policies in Microsoft Defender. The idea is that Microsoft uses a combination of AI, mailbox analytics and behavioural analytics to determine (or imply) that a message is a spoofed message.
The explicit checks look at the actual properties to determine a spoofed message by the associated SPF, DKIM and DMARC records (what have explicitly been configured). In this case, the settings can be found in the actions pane of your Anti-Phishing policy in Microsoft Defender.
When both the Spoofing intelligence checks and DMARC checks have been configured in your Anti-Phishing policy, either of the policy settings can trigger your email to result in a spoof, so the implicit check can pass while the explicit check can fail, causing the message to be quarantines and visa versa.
Thankfully DMARC checks are now default with Microsoft 365, so even if you have not configured either of the implicit or explicit mail checks, explicit checks will still apply, providing you some level of protection.