Microsoft Defender for Office 365: DMARC Policy Handling
In order to better protect our customers from exact domain spoofing attacks and improve deliverability of email, Microsoft is making changes to how we handle DMARC p=reject and p=quarantine.
For the enterprise customers, Microsoft is making updates to how DMARC policy-based reject can be handled. This change will help Security Administrators be able to choose how DMARC policy-based reject and quarantine can be applied within their organization.
When this will happen:
Standard: Rollout will begin on July 13th, 2023, and policies will take effect by August 10, 2023. Customers will have 25 days to opt out.
Gov Cloud: Rollout will begin on July 19, 2023 and policies will take effect by August 14, 2023. Customers will have 25 days to opt out.
How this will affect your organization:
For enterprise customers, the Anti-Phishing policy will have a new default setting to honor DMARC policy. The default actions for ‘p=reject’ and ‘p=quarantine’ will be set to ‘reject’ and ‘quarantine,’ respectively.
With the updated actions for spoof intelligence settings in the Anti-Phishing policy, recipient tenant admins will have the flexibility to choose how they want to handle DMARC policy.
In the default enabled state, we will take the specified action of ‘reject’ or ‘quarantine’ based on the sender’s DMARC record. The tenant admin can modify it to either “reject” or “junk” the message as per their preference.
What you need to do to prepare:
After the rollout date, the UX and cmdlet will be set to default values, but the actions will not be taking effect until the specified date. If you prefer to handle DMARC actions differently, you can modify the settings before the specified date. from the specified date, the selected settings will come into effect.
In preparation for honor DMARC, you may choose to review spoof intelligence insight to identify legitimate senders who are sending DMARC reject or quarantine emails. Based on your organization’s email sending business, you may override the sender domain pairs to the Tenant allow block lists – Spoofed Senders. You may want to notify your users about this change and update your training and documentation as appropriate.
No Comments