Vitalii Gulenok/istock via Getty
Stop phishing with help from updated DMARC policy handling
Exchange admins got a boost from Microsoft when it improved how it handles DMARC authentication failures to help organizations fight back from email-based attacks on their users.
Microsoft's recent updates to DMARC policy handling give administrators more capabilities in their efforts to keep malicious email from reaching their users.
Domain-based Message Authentication, Reporting and Conformance is a protocol for email authentication designed to prevent spoofing and phishing attacks by verifying the legitimacy of the sender's domain. Microsoft recently adjusted its handling of certain settings in DMARC policies in Exchange Online in its Microsoft 365 platform to hinder these email-based threats. Customers now have tighter control over email that fails DMARC validation and better visibility into potentially malicious activity through enhanced reporting functionality. This article explains what's new with DMARC policy handling and how to customize the settings for your organization.
How does DMARC protect the enterprise?
DMARC helps with email authentication when the Exchange admin for the sending domain sets up a DMARC policy in their DNS records that tells the receiving domain how to handle email that fails authentication checks. The receiving domain checks the validity of incoming email using the sender's DMARC policy.
This cooperative practice helps prevent spoofing and upholds the integrity of the sending organization.
The key components of DMARC are the following:
- Authentication. DMARC uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate email. SPF verifies the sender is authorized to use a specific domain, while DKIM confirms the email's digital signature. Validating the sender's domain prevents the unauthorized use of a domain name to reduce phishing attempts that rely on impersonating legitimate domains. DKIM verifies the email was not tampered with during transit.
- Policy. Domain owners set DMARC policies to control how email servers should handle messages that fail authentication checks; the options are to monitor, quarantine or reject email. This practice helps reduce the chance of a malicious message reaching the inbox of a user.
- Reporting. DMARC reporting gives insights into email traffic from the domain, such as which email passed or failed authentication and from which sources. These reports help organizations identify potential sources of abuse and fine-tune their security measures accordingly.
By reducing spoofing attempts and unauthorized use of a domain, DMARC mitigates phishing attacks, which appear to come from legitimate sources to trick recipients into divulging sensitive information or performing malicious actions.
In 2023, Microsoft increased the stringency of its DMARC policy settings for its domains to honor the reject DMARC policy and block email. Prior to these changes, if an email failed DMARC authentication and the DMARC policy was set to reject, the email could still reach the user by going into either their junk or spam folder because Microsoft treated the reject policy as a quarantine policy. This could expose the organization to risk by delivering phishing attempts to the user.
If the sending organization has a reject policy on email that fails authentication, they get a nondelivery report with a short description of the reason why the email did not go through.
Microsoft's default setting on Microsoft 365 is to honor the sender's DMARC policy, but admins can override this in the admin portal's anti-phishing policy section. For example, if the organization is undergoing a heavy phishing attack, then the admin might want to make a stricter policy, such as making a rule to quarantine all email from a certain domain.
DMARC is just one component of a holistic email security strategy. Combining DMARC with other measures, such as employee training, anti-phishing tools, regular security assessments and multifactor authentication, strengthens an organization's defense against email-based attacks.
Understand how DMARC policies work
A DMARC policy benefits the sending organization by preventing malicious actors from spoofing the domain, assisting with making sure email reaches the inbox rather than a junk folder and giving the Exchange admin insights into why email authentication failed and how to correct it.
Setting up a DMARC policy involves a few steps. First, you must understand your email infrastructure: how your organization sends email, the domains used and the authentication methods used.
Working with DMARC requires technical expertise in DNS management and email authentication protocols to properly configure DMARC for your organization's specific needs, while minimizing the risk of interruptions to legitimate email flow. For admins unfamiliar with DMARC, use a DMARC analyzer tool to check the configuration of your DMARC policy.
Create a DMARC TXT record in your domain's DNS settings. This record contains the policies to handle email that fails DMARC authentication and dictates the preferred reporting method to check and examine these errors:
- Define your DMARC policy. Decide to either monitor, quarantine or reject an email that fails DMARC authentication. Specify this in the DMARC policy with the following tags: p=none (monitor only), p=quarantine (quarantine failed email) or p=reject (reject failed email).
- Decide on a reporting preference. Determine where to send DMARC reports. Use the rua (aggregate reports) and ruf (forensic reports) tags to specify the recipient email addresses.
Aggregate reports use the rua (Reporting URI for Aggregate) tag. These reports provide an overview of the domain's email traffic and include information about authentication results. Analyze these reports to identify sending sources, authentication status and potential issues.
Forensic reports use the ruf (Reporting URI for Forensic) tag. These reports provide detailed information about specific failed messages, including message headers and content. These reports help with diagnosing issues with authentication failures or identifying malicious email.
Gradually implement DMARC. Start with a "none" (p=none) policy to monitor email delivery. Review the generated reports to identify legitimate senders and sources of failed authentication.
Next, enforce a stricter policy. Based on the monitoring phase, adjust your DMARC policy to "quarantine" (p=quarantine) or "reject" (p=reject) mode for better protection. Ensure legitimate sources align with your policy to avoid email disruptions.
Regularly review DMARC reports to avoid email problems. Adjust policies as needed to maintain security without affecting legitimate communication.
How to configure a DMARC policy for Microsoft 365
To set up a DMARC policy in Microsoft 365, formerly Office 365, follow these steps:
- Access the Microsoft Defender portal.
- Go to security.microsoft.com, and sign in with your admin credentials.
- Navigate to Policies & Rules > Threat Policies.
- Set up DMARC.
- Select Anti-phishing.
- Create or modify the DMARC policy.
- Click on the + icon to create a new policy.
- Choose New custom policy or modify an existing policy.
- Define DMARC settings.
- Under the new policy or the existing one, navigate to the Settings section.
- Configure the following DMARC settings:
- Enforce Policy. Choose Quarantine or Reject to enforce DMARC policy. Start with None for monitoring purposes.
- Report Options. Specify where you want to send aggregate (rua) and forensic (ruf) DMARC reports.
- Finalize the DMARC policy configuration.
- After configuring and checking the DMARC settings, save your changes.
- Enable DMARC for your domain.
- Use DMARC enforcement for your domain by setting the DMARC record in your DNS settings.
- Obtain the DMARC TXT record generated by Microsoft 365, and add it to your domain's DNS records.
- Monitor and adjust.
- Check the DMARC reports regularly to see how the policy affects email flow.
- Adjust the policy based on the monitoring results.
How to check DMARC policy reports
To check DMARC settings and review authentication failures and other information about email, make sure the configuration for the DMARC policy includes report generation and the email address(es) to send the reports to. DMARC reports are typically sent in XML format.
The reports contain detailed information related to email authentication, including pass/fail results and IP addresses of the sending sources. Microsoft does not offer a dedicated DMARC analysis tool, but several online tools and services can help interpret the results of DMARC reports. Vendors such as Dmarcian, URIports and EasyDMARC make tools to process this data.
Review the reports regularly to identify trends, sources of failed authentication or potential spoofing attempts.
Take action to address authentication failures, such as adjusting SPF and DKIM records and investigating suspicious sources.
By regularly analyzing DMARC reports and using tools to interpret the data, you can gain insights into your email ecosystem's health, identify potential threats and take appropriate measures to enhance email authentication and security.
Helen Searle-Jones holds a group head of IT position in the manufacturing sector and has more than 25 years of experience with managing a wide range of Microsoft technologies in the cloud and on premises.