3 Comments

"If you use Microsoft 365 as your email solution, you don’t have to do anything to set up DMARC for incoming mail."

This isn't entirely true. Microsoft will not honor a DMARC reject policy for incoming mails. So malicious mails that fail DMARC might just end up in your inbox, junk or in quarantine. Also see https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#how-microsoft-365-handles-inbound-email-that-fails-dmarc

Improvements are on the way: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-protection-and-sender-dmarc-policies

But didn't see it yet in my tenant. It's a good idea to reject mails failing DMARC coming from a domain with a reject policy - by using the option in preview, or by enabling a custom mail flow rule.

Expand full comment

Love the feedback, Tom. We have it documented here - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#set-up-dmarc-for-inbound-mail. If you find that isn't true, lets comment on the docs and see if we can get some changes.

Expand full comment

Need help setting up DMARC for your custom domain so you can utilize Microsoft 365's built-in DMARC protection? Visit the Microsoft Intelligent Security Association (MISA) catalog to view third-party vendors offering DMARC reporting for Microsoft 365: https://www.microsoft.com/misapartnercatalog?IntegratedProducts=DMARCReportingforOffice365

Expand full comment