Domain-based Message Authentication, Reporting & Conformance (DMARC) is a standard that helps prevent spoofing by verifying the sender’s identity. If an email fails DMARC validation, it often means that the sender is not who they claim to be, and the email could be fraudulent.
The ‘p=’ value (this stands for “policy”) in a DMARC TXT DNS record represents the sender’s policy for their domain. It tells the receiver what to do if an email fails DMARC validation. There are three possible values for the policy: none, quarantine, and reject. This helps the sender protect their reputation and brand from being spoofed and helps the recipient avoid emails from unverified senders.
Today, we are announcing important changes to our DMARC policy handling that affect both consumer and enterprise customers. For our consumer service (live.com / outlook.com / hotmail.com), we have changed our DMARC policy handling to honor the sender’s DMARC policy. If an email fails DMARC validation and the sender’s policy is set to p=reject or p=quarantine, we will reject the email.
For our enterprise customers, you can now choose how to handle emails that fail DMARC validation and choose different actions based on the policy set by the domain owner, such as p=reject or p=quarantine. By default, we will honor the sender’s DMARC policy and reject or quarantine the email as instructed. However, you can change this behavior and specify different actions for different policies in the Anti-Phishing policy section of the Microsoft 365 Defender portal.
We’ve already begun rolling out the new policies, starting July 19, 2023, we’re will continue to rollout them out to our government and 21Vianet clouds. As stated in Message Center posts MC640228 (worldwide and government clouds) and MC640225 (21Vianet), you have until mid-August to modify the policies before they’re enforced.
For messages that fail DMARC validation where the policy is reject and this action is taken on the message, the sender will receive a non-delivery report (NDR) with the following message (using contoso.com as an example):
550 5.7.509: Access denied, sending domain contoso.com does not pass DMARC verification and has a DMARC policy of reject
We encourage you to review your DMARC settings and customize if needed to benefit from improved email security and deliverability.
Microsoft Defender for Office 365 team