Office 365

Many people think office 365 from Microsoft does not support DMARC. It does but it does not currently support reporting. More detail attached


Thanks for this video about how to set up DMARC. The video is from 2017 about setting up DMARC for the organisation or domain that you own. The problem though with Office 365 has come later (Feb 2019) with a policy of Microsoft post the EUs GDPR where data accountability/responsibility is a little more important… So that when it comes to external domains (incoming mail sent to Office 365), if the external domain has set DMARC to fail, the email instead of stopping the email at the server, is ignored and Office 365 sends it to the spam folder. The Microsoft reasoning behind this is that they don’t think admins can set up DMARC properly and so are allowing every email through (albeit to spam) to prevent people from losing email. But many users check their spam folder. So it’s a big problem for admins who have set up DMARC to fail correctly but who email users who use Office 365. And an even bigger problem for Office 365 users who check their spam folders.

Please have a look at: Use DMARC to validate email in Office 365 | Microsoft Docs

Under the heading How Office 365 Handles Inbound Email that fails DMARC

There is of course a degree of responsibility on an admin who sets DMARC up to fail because their domain in question is being heavily spoofed or used for phishing campaigns so to protect the rest of cyberspace from any misdemeanor, yet doesn’t want to or shouldn’t have to change their domain (at considerable cost). Yet, admins should be able to take on that responsibility and decision making to allow DMARC to fail if the domain sender is not set within their IP range. All other email systems stop DMARC fail in their tracks and not viewing the email as a quarantined email. In doing so Microsoft is taking off the decision making of external admins and not working to the standards and choices that DMARC provides.