Suped

How to handle Microsoft treating DMARC reject policy as quarantine?

11 Marketer opinions8 Expert opinions4 Technical articles5 Resources

Summary

Microsoft's approach to DMARC involves treating 'reject' policies as 'quarantine' to prevent false negatives, prioritizing the delivery of legitimate emails even if they fail authentication checks. DMARC policies are viewed as requests, not commands, leaving the ultimate decision on email handling to the recipient server. Microsoft's O365 platform is known to send unaligned emails directly to the spam folder. Recommendations for handling this include monitoring DMARC reports, ensuring proper SPF/DKIM alignment, and considering an Exchange rule to enforce 'reject' policies. Furthermore, senders should be aware of how Microsoft's authentication changes impact forwarded emails and understand that Microsoft often has unique ways of doing things.

Key findings

  • Microsoft's Prioritization: Microsoft prioritizes avoiding false negatives by quarantining emails that fail DMARC 'reject' policies.
  • DMARC as Guidance: DMARC policies serve as guidelines; the ultimate decision on handling emails lies with the recipient server (e.g., Microsoft).
  • Unaligned Mail Handling: Microsoft's Office 365 platform sends unaligned emails directly to the spam folder.
  • Enforcement Variances: DMARC enforcement depends on the receiver's implementation, leading some to treat 'reject' as 'quarantine.'

Key considerations

  • Actionable Steps: Monitor DMARC reports and improve SPF, DKIM, and DMARC configurations.
  • Mitigation Strategy: Consider an Exchange rule to enforce 'reject' policies at the organizational level.
  • Proactive Alignment: Advocate for alignment with clients and understand Microsoft's authentication changes.
  • Forwarding Complications: Understand and address how Microsoft's changes affect forwarded emails and mailing lists.

What email marketers say
11Marketer opinions

Microsoft often treats DMARC reject policies as quarantine to avoid blocking legitimate emails due to misconfigurations or other issues. This is because Microsoft prioritizes avoiding false negatives (missing valid emails). To address this, it's essential to monitor DMARC reports, ensure proper SPF and DKIM setup for alignment, and consider creating an Exchange rule to reject failing emails. It's also important to advocate for alignment with clients, but be aware of Microsoft's abrupt changes to authentication procedures, and how this all affects forwarded emails.

Key opinions

  • Microsoft's Approach: Microsoft prioritizes avoiding false negatives (missing legitimate emails), leading them to quarantine emails that fail DMARC reject policies instead of rejecting them outright.
  • Receiver Discretion: ISPs and receivers ultimately decide how to handle emails failing DMARC, even with a 'reject' policy. This depends on the implementation.
  • Importance of Alignment: Proper SPF and DKIM configuration for alignment is crucial to prevent legitimate emails from being incorrectly flagged and quarantined.
  • Monitor Reports: Monitoring DMARC reports helps identify legitimate emails failing authentication, allowing for adjustments to SPF, DKIM, and DMARC records.

Key considerations

  • Exchange Rule: Creating an Exchange rule to reject emails failing DMARC can override Microsoft's quarantine treatment, but needs to be done cautiously.
  • Client Communication: Advocating for alignment with clients and communicating changes in authentication practices is important.
  • Authentication Changes: Be aware of Microsoft's abrupt changes to authentication procedures.
  • Forwarded Emails: Forwarded emails and mailing lists are impacted by the MS changes.
Marketer view

Email Marketer from StackExchange explains that enforcing DMARC policies depends on the receiver's implementation, and some treat 'reject' as 'quarantine' to avoid losing legitimate emails due to misconfiguration.

July 2024 - StackExchange
Marketer view

Email Marketer from Unlock The Inbox suggests monitoring your DMARC reports to identify legitimate emails that are failing authentication. Based on the report, you can improve SPF records, DKIM keys, and DMARC records.

March 2025 - Unlock The Inbox
Marketer view

Email Marketer from Mailhardener explains that while a DMARC policy of reject should instruct receivers to reject non-compliant messages, Microsoft might quarantine them instead to avoid blocking legitimate emails due to misconfigurations or other issues.

April 2024 - Mailhardener
Marketer view

Email Marketer from Word to the Wise explains the changes with authentication at Office365.

July 2024 - Word to the Wise
Marketer view

Email Marketer from Reddit shares Microsoft's actions are designed to protect users, as they prioritize avoiding false negatives (missing valid emails) over strictly adhering to DMARC policies.

January 2023 - Reddit
Marketer view

Email Marketer from Mailjet explains that even with a 'reject' policy, some ISPs might quarantine emails instead, giving recipients a chance to review them. This decision falls on the ISP's discretion.

November 2022 - Mailjet
Marketer view

Email Marketer from EmailGeek recommends creating an Exchange rule to reject emails that fail DMARC checks, to prevent Microsoft from treating a 'reject' policy as 'quarantine.'

October 2024 - EmailGeek
Marketer view

Marketer from Email Geeks shares that Microsoft often disregards DMARC policies, treating reject as quarantine, and not sending aggregate reports, and suggests creating an Exchange rule to reject emails failing DMARC and voting for DMARC aggregate reports in UserVoice.

October 2021 - Email Geeks
Marketer view

Email Marketer from EmailSecuritySPF advises ensuring that your SPF and DKIM records are correctly configured and aligned. Regularly review DMARC reports to understand what's happening with your email and adjust accordingly.

April 2024 - EmailSecuritySPF
Marketer view

Email Marketer from Email Reddit points out it's critical to carefully set up SPF and DKIM to prevent legitimate emails from failing DMARC and being quarantined.

December 2023 - Email Reddit
Marketer view

Email Marketer from Email Forum suggests it is important to advocate for alignment and advocate for it with clients. Also that abrupt changes from MS without good communication are not ideal.

May 2021 - Email Forum

What the experts say
8Expert opinions

Microsoft's handling of DMARC reject policies as quarantine stems from their unique approach to authentication and the need to balance security with preventing false positives. DMARC policies are essentially requests, not commands, and receivers like Microsoft have discretion. Key elements include the importance of authentication alignment, the limited value of DMARC in many situations, and the fact that Microsoft often moves unaligned emails directly to spam within its Office 365 platform. Senders should understand Microsoft's practices, especially how it affects forwarded emails, and be aware that this forces workarounds.

Key opinions

  • DMARC as a Request: DMARC policy is more of a request than a command, and receivers can interpret it as they see fit.
  • Microsoft's Unique Approach: Microsoft has its own authentication practices, and this often requires senders to adapt and find workarounds.
  • Alignment is Key: Microsoft's O365 platform will throw unaligned email into the spam folder.
  • Limited DMARC Value: DMARC brings minimal value in many cases and can even break email functionality.

Key considerations

  • Phishing Actions: What senders can do regarding phishing depends on the details of the brand and observed behavior.
  • Authentication Focus: The best parts of DMARC are alignment and reporting.
  • Forwarding Issues: Microsoft's authentication changes significantly impact forwarded emails, often causing them to land in the junk folder.
  • Workarounds Necessary: Be prepared to implement workarounds to accommodate Microsoft's unique authentication practices.
Expert view

Expert from Word to the Wise discusses the changes in how Microsoft handles authentication for inbound mail to Office 365, explaining that Microsoft has made changes that affect the authentication landscape and how email is handled, especially for those using DMARC.

December 2021 - Word to the Wise
Expert view

Expert from Email Geeks shares that a DMARC policy provides information and is at most a request, not a command.

April 2023 - Email Geeks
Expert view

Expert from Email Geeks explains that folks have spoken directly with Microsoft O365 responsible parties who have confirmed they are enforcing alignment and will spam folder anything that doesn’t align *on the office365 platform*.

April 2021 - Email Geeks
Expert view

Expert from Email Geeks explains that what senders can do about phishing using their identity will depend a lot on the details of the brand and what behavior they're seeing.

February 2022 - Email Geeks
Expert view

Expert from Email Geeks says that Microsoft has always done its own thing with authentication, forcing others to work around it.

June 2023 - Email Geeks
Expert view

Expert from Word to the Wise discusses that Microsoft's changes may cause mail sent through forwarders, such as mailing lists, to be delivered to the junk folder, as forwarded messages often fail authentication checks.

August 2021 - Word to the Wise
Expert view

Expert from Email Geeks shares that on the O365 side, anything that isn’t aligned (with or without DMARC) gets thrown into the spam folder.

May 2022 - Email Geeks
Expert view

Expert from Email Geeks shares that the two best parts of DMARC are the concept of alignment for authentication and reporting, while Steve Atkins (WttW) says that there are reasonable times to have a DMARC policy and no reporting, but DMARC brings minimal value in most cases, breaks a lot of things, and costs a lot of money

March 2025 - Email Geeks

What the documentation says
4Technical articles

Microsoft 365 quarantines messages failing DMARC, even with a 'reject' policy, to avoid blocking legitimate emails due to potential misconfigurations. DMARC policies are requests, not commands, giving recipient servers like Microsoft discretion over handling failed authentication. Microsoft routes unaligned mail directly to the spam folder. Ultimately, recipient servers have the final say in how emails failing authentication are handled.

Key findings

  • Quarantine over Reject: Microsoft 365 quarantines DMARC failures on 'reject' to prevent loss of legitimate emails.
  • Policy as Request: DMARC policies are guidelines, not mandates; recipient servers determine the action.
  • Unaligned to Spam: Microsoft directly routes unaligned mail to spam within Office 365.
  • Recipient Control: Recipient servers possess the ultimate decision-making power for handling authentication failures.

Key considerations

  • Configuration: Ensuring proper SPF and DKIM configuration can reduce DMARC failures.
  • Monitoring: Monitoring DMARC reports can aid in identifying and rectifying issues.
  • Microsoft Specifics: Understanding Microsoft's particular handling of DMARC failures is crucial.
  • General Guidelines: Following DMARC best practices improves overall email deliverability.
Technical article

Documentation from SocketLabs Blog explains that Microsoft started routing unaligned mail that comes into O365 hosted clients into the spam folder regardless.

January 2024 - SocketLabs Blog
Technical article

Documentation from Google Workspace Admin Help mentions that DMARC policies are guidelines for how recipient servers should handle emails that fail authentication. However, the ultimate decision rests with the recipient server.

June 2024 - Google Workspace Admin Help
Technical article

Documentation from DMARC.org states that DMARC policies are requests, not commands, and receivers ultimately decide how to handle messages that fail DMARC checks.

June 2023 - DMARC.org
Technical article

Documentation from Microsoft Docs explains that Microsoft 365 quarantines messages that fail DMARC when the sender's domain has a DMARC policy of p=reject, because some legitimate email may fail DMARC.

September 2023 - Microsoft Docs

Related resources
5Resources

Microsoft's recent updates empower domain owners to combat ...
Microsoft's recent updates empower domain owners to combat ...

Microsoft has always encouraged domain owners to deploy DMARC to improve email deliverability and prevent spoofing. It has also been part of industry groups

DuoCircle
Microsoft consumer domains (hotmail, live, msn, outlook, etc.) to start ...
Microsoft consumer domains (hotmail, live, msn, outlook, etc.) to start ...

Posted by u/lolklolk - 7 votes and 4 comments

Reddit
Microsoft Honors DMARC Enforcement Policies - dmarcian
Microsoft Honors DMARC Enforcement Policies - dmarcian

Microsoft Honors DMARC Enforcement Policies. Microsoft, one of the world’s largest mailbox providers is rolling out changes to DMARC.

dmarcian
Microsoft announces its new handling of DMARC policies - Red Sift ...
Microsoft announces its new handling of DMARC policies - Red Sift ...

Microsoft has announced that from July 2023, it will honor DMARC policies in M365 and its consumer properties.

Red Sift Blog
Exchange Online Enforces Sender DMARC Policy | Practical365
Exchange Online Enforces Sender DMARC Policy | Practical365

From mid-August 2023, Exchange Online will enforce the action defined in the sender DMARC policy for inbound messages detected as spoof (by spoof intelligence). Tenants have the chance to amend their anti-phishing policy to decide what to do with these messages. I favor an outright rejection.

Practical 365

Related questions