How to Modify DMARC Policies in Microsoft 365 for Inbound Mail

DMARC works alongside your SPF and DKIM configurations to correctly authenticate mail, report on mail and instruct your recipients mail servers on how they should hand mail with does not pass DMARC checks. There are two different policies you can configure with DMARC which advise the mail recipient how to handle DMARC failures, these are Quarantine and Reject.

A Quarantine policy advises the recipient to move DMARC failure emails to the local quarantine of the mail system. A Reject policy instructed the server to reject the email. 

I use the term instructs as every different mail service may handle these policies differently depending on their configuration, however, most providers do follow a standard protocol.

Microsoft on the other hand, only recently, have started to honour the reject and quartine policies as they are stated by default, reject mail for a reject policy and quarantine mail for a quarantine policy.

How to modify the default DMARC policy

1. Start by logging into Microsoft 365 Defender at https://security.microsoft.com/

2. Expand Email & collaboration, the select Policies & rules > Threat policies.

Open Threat Policies
Open Threat Policies

3. Select Anti-phishing under Policies.

Select Anti-phishing
Select Anti-phishing

4. Click Create to create a new policy.

Create a new policy
Create a new policy

5. Define a name for your new policy and click Next.

6. Choose which users to include in this policy. For my policy, I have added my internal domain.

Choose used to include in this policy
Choose used to include in this policy

7. On the Phishing threshold & protection page, check the boxes next to Enable domains to protect and Include domains I own. All other settings can be left default on this page unless you wish to modify them. When you are ready, click Next.

Include domain I own
Include domain I own

8.  On the Actions page, check the box next to Honor DMARC record policy when the message is detected as spoof. By default the DMARC record policy is already honored by Microsoft 365, however, to override these settings modify the actions under each heading highlighted in the screenshot below to meet your preference using the drop-down boxes.

Honor DMARC record policy
Honor DMARC record policy

9. When you are ready, click Submit, then Done.

Implicit vs Explicit email authentication checks

Microsoft has two different methods for checking the validity of incoming mail, these are called implicit checks and explicit checks.

Implicit checks are made up of the Spoof intelligence features within your anti-phishing threat policies in Microsoft Defender. The idea is that Microsoft uses a combination of AI, mailbox analytics and behavioural analytics to determine (or imply) that a message is a spoofed message.

Implicit email authentication
Implicit email authentication

The explicit checks look at the actual properties to determine a spoofed message by the associated SPF, DKIM and DMARC records (what have explicitly been configured). In this case, the settings can be found in the actions pane of your Anti-Phishing policy in Microsoft Defender.

Explicit email authentication
Explicit email authentication

When both the Spoofing intelligence checks and DMARC checks have been configured in your Anti-Phishing policy, either of the policy settings can trigger your email to result in a spoof, so the implicit check can pass while the explicit check can fail, causing the message to be quarantines and visa versa. 

Thankfully DMARC checks are now default with Microsoft 365, so even if you have not configured either of the implicit or explicit mail checks, explicit checks will still apply, providing you some level of protection.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply