Close this search box.

Microsoft now applies DMARC security policies

On July 19, Microsoft announced on the Exchange blog major changes to their DMARC policy management! These changes will simultaneously affect the messaging services of their private and business customers.

DMARC objectives

As a reminder, Domain-based Message Authentication, Reporting & Conformance (or DMARC) is a standard that relies on the verification of SPF & DKIM authentication systems to determine a security policy (NONE ; QUARANTINE ; REJECT) to be applied in the event of DMARC failure.

Non-compliance with DMARC is due to :

  • SPF and DKIM misconfiguration by the company
  • Fraudulent use of the company's sender domain by a malicious third party

DMARC's main objectives are to :

  • Protect your domain name against identity theft.
  • Provide domain authentication reports (main domain and subdomains) to companies. These reports are provided by third parties such as ISPs / Webmails and companies.

"If you haven't yet deploy DMARC on your main domain, I invite you to take a look at our guide dedicated to this subject. "

DMARC management at Microsoft, Gmail and Yahoo

Where its main competitors already apply the security policy defined in the DMARC record in the event of failure, Microsoft - since their announcement - has changed its DMARC management! So, if an e-mail received is not DMARC-compliant, Microsoft will now apply the value defined in the P attribute (p=quarantine or p=reject) of the DMARC record of the sending domain (FROM domain).

Note NONE: the value NONE (p=none) produces no action and therefore nothing will move.

I tested on my domain name the sending of 2 campaigns from my Brevo account with a valid SPF authentication but not aligned with my sender domain and I voluntarily removed the DKIM public key (initially provided by Brevo) to generate a DMARC=fail on my mailings to my, and addresses. This will enable me to check that Microsoft, Gmail and Yahoo are applying the security policy I've defined!

' Test 01: With DMARC policy p=quarantine

  • Outlook The e-mail has been placed in the spam folder!

Authentication-Results: spf=pass (sender IP is; dkim=fail (no key for signature);dmarc=fail action=quarantine;compauth=fail reason=000

  • Gmail My e-mail has been placed in the spam folder and flagged as dangerous!
Gmail doesn't hesitate to alert its users to poorly authenticated or potentially dangerous e-mails!

Authentication-Results:; dkim=temperror (no key for signature) header.s=mail header.b=iABVnDRa; dkim=pass header.s=mail header.b=tDcfFbPc; spf=pass ( domain of designates as permitted sender) smtp.mailfrom=" "; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE)

  • Yahoo My e-mail has been placed in the spam folder!

Authentication-Results:; dkim=perm_fail header.s=mail; dkim=pass header.s=mail; spf=pass; dmarc=fail (p=QUARANTINE);

' Test 02: With DMARC policy p=reject

  • Outlook My e-mail has been bounced!

550 5.7.509 Access denied, sending domain [SFICONSULTING.EMAIL] does not pass DMARC verification and has a DMARC policy of reject.

Need help?

Reading content isn't everything. The best way is to talk to us.

  • Gmail My e-mail has been bounced!

550-5.7.26 Unauthenticated email from is not accepted due to 550-5.7.26 domain's DMARC policy. Please contact the administrator of 550-5.7.26 domain if this was a legitimate mail. Please 550-5.7.26 visit 550-5.7.26 to learn about the 550 5.7.26 DMARC initiative.

  • Yahoo My e-mail has been bounced!

554 5.7.9 Message not accepted for policy reasons.

This series of tests shows that Microsoft strictly applies the security policy defined in the P field of the sender domain. The same applies to Gmail and Yahoo. A good point for domain name protection!

Microsoft also states in its dedicated article that deployment of this new management system began on July 19 and should be completed by mid-August! (You know what you have to do, especially if you're not sure that all your e-mail flows are compliant :p).

Who is affected by Microsoft's measure?

The entire Microsoft ecosystem will - in due course (editor's note: mid-August) - benefit from this measure, by which I mean individuals (Hotmail; Outlook; Live; and all businesses using Microsoft services. This means that all flows managed by Microsoft will comply with the DMARC standard and apply the security policy!

' Individuals

For users of the free service, Microsoft will apply the security policy defined on the sender domain and will reject any e-mail that does not comply with DMARC (editor's note: the result of test 02 and the bounce provided by Microsoft on p=reject), which was not the case recently (it was put in spam instead of being rejected)!

Previously, Microsoft would treat a DMARC p=reject policy the same way as it did quarantine. The authentication-results header would show dmarc=fail action=orejectwhich stands for override reject.

Microsoft Honors DMARC Enforcement Policies by Dmarcian

' The companies

Companies with a paid Microsoft 365 account will be able to choose how to handle DMARC non-compliant e-mails, i.e. whether to reject them (p=reject) or put them in spam (p=quarantine). Whether Microsoft leaves this option in place or cancels it, we'll have to wait and see!

Need help with your DMARC deployment?

You haven't deployed DMARC yet, or don't know where to start? Would you like to tighten up your DMARC security policy, but aren't sure that all your flows are compliant? Are you looking to implement a DMARC monitoring tool but don't know which one to choose?

We're here to help! As well as deploying DMARC, we can audit and optimize the security of your domain names and e-mail flows.

Don't hesitate to contact us 🙂

The author

Laisser un commentaire

Your email address will not be published. Les champs obligatoires sont indiqués avec *