On July 19, Microsoft announced on the Exchange blog major changes to their DMARC policy management! These changes will simultaneously affect the messaging services of their private and business customers.
DMARC objectives
As a reminder, Domain-based Message Authentication, Reporting & Conformance (or DMARC) is a standard that relies on the verification of SPF & DKIM authentication systems to determine a security policy (NONE ; QUARANTINE ; REJECT) to be applied in the event of DMARC failure.
Non-compliance with DMARC is due to :
SPF and DKIM misconfiguration by the company
Fraudulent use of the company's sender domain by a malicious third party
DMARC's main objectives are to :
Protect your domain name against identity theft.
Provide domain authentication reports (main domain and subdomains) to companies. These reports are provided by third parties such as ISPs / Webmails and companies.
"If you haven't yet deploy DMARC on your main domain, I invite you to take a look at our guide dedicated to this subject. "
DMARC management at Microsoft, Gmail and Yahoo
Where its main competitors already apply the security policy defined in the DMARC record in the event of failure, Microsoft - since their announcement - has changed its DMARC management! So, if an e-mail received is not DMARC-compliant, Microsoft will now apply the value defined in the P attribute (p=quarantine or p=reject) of the DMARC record of the sending domain (FROM domain).
Note NONE: the value NONE (p=none) produces no action and therefore nothing will move.
I tested on my domain name the sending of 2 campaigns from my Brevo account with a valid SPF authentication but not aligned with my sender domain and I voluntarily removed the DKIM public key (initially provided by Brevo) to generate a DMARC=fail on my mailings to my Outlook.fr, Yahoo.com and Gmail.com addresses. This will enable me to check that Microsoft, Gmail and Yahoo are applying the security policy I've defined!
' Test 01: With DMARC policy p=quarantine
Outlook The e-mail has been placed in the spam folder!
Authentication-Results: spf=pass (sender IP is 77.32.148.59) smtp.mailfrom=ig.d.sender-sib.com; dkim=fail (no key for signature) header.d=sficonsulting.email;dmarc=failaction=quarantine header.from=sficonsulting.email;compauth=fail reason=000
Gmail My e-mail has been placed in the spam folder and flagged as dangerous!
Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@sficonsulting.email header.s=mail header.b=iABVnDRa; dkim=pass header.i=@mailin.fr header.s=mail header.b=tDcfFbPc; spf=pass (google.com: domain of bounces-b7caw-yesreply=sficonsulting.email@ig.d.sender-sib.com designates 77.32.148.59 as permitted sender) smtp.mailfrom="bounces-b7caw-yesreply=sficonsulting.email@ig.d.sender-sib.com "; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=sficonsulting.email
Yahoo My e-mail has been placed in the spam folder!
550 5.7.509 Access denied, sending domain [SFICONSULTING.EMAIL] does not pass DMARC verification and has a DMARC policy of reject.
Need help?
Reading content isn't everything. The best way is to talk to us.
Gmail My e-mail has been bounced!
550-5.7.26 Unauthenticated email from sficonsulting.email is not accepted due to 550-5.7.26 domain's DMARC policy. Please contact the administrator of 550-5.7.26 sficonsulting.email domain if this was a legitimate mail. Please 550-5.7.26 visit 550-5.7.26 https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.26 DMARC initiative.
Yahoo My e-mail has been bounced!
554 5.7.9 Message not accepted for policy reasons. See https://postmaster.yahooinc.com/error-codes
This series of tests shows that Microsoft strictly applies the security policy defined in the P field of the sender domain. The same applies to Gmail and Yahoo. A good point for domain name protection!
Microsoft also states in its dedicated article that deployment of this new management system began on July 19 and should be completed by mid-August! (You know what you have to do, especially if you're not sure that all your e-mail flows are compliant :p).
Who is affected by Microsoft's measure?
The entire Microsoft ecosystem will - in due course (editor's note: mid-August) - benefit from this measure, by which I mean individuals (Hotmail; Outlook; Live; Msn.com) and all businesses using Microsoft services. This means that all flows managed by Microsoft will comply with the DMARC standard and apply the security policy!
' Individuals
For users of the free service, Microsoft will apply the security policy defined on the sender domain and will reject any e-mail that does not comply with DMARC (editor's note: the result of test 02 and the bounce provided by Microsoft on p=reject), which was not the case recently (it was put in spam instead of being rejected)!
Previously, Microsoft would treat a DMARC p=reject policy the same way as it did quarantine. The authentication-results header would show dmarc=fail action=orejectwhich stands for override reject.
Companies with a paid Microsoft 365 account will be able to choose how to handle DMARC non-compliant e-mails, i.e. whether to reject them (p=reject) or put them in spam (p=quarantine). Whether Microsoft leaves this option in place or cancels it, we'll have to wait and see!
Need help with your DMARC deployment?
You haven't deployed DMARC yet, or don't know where to start? Would you like to tighten up your DMARC security policy, but aren't sure that all your flows are compliant? Are you looking to implement a DMARC monitoring tool but don't know which one to choose?
We're here to help! As well as deploying DMARC, we can audit and optimize the security of your domain names and e-mail flows.
Brevo and Cofidis financially support the project. Join the movement and together, let's make the email industry take responsibility for the climate emergency.
Sebastien is the main consultant on deliverability issues in the Badsender team. He has been working on the subject for more than 10 years, and has spent his entire career with ESPs such as Emailvision, Adobe Campaign or Cabestan.
We don't use them for advertising or retargeting, but to make your browsing easier (for example, to watch our live shows, we need you to accept Youtube cookies). That's all we do.
We use Matomo with anonymized audience tracking and that's cool.
Functional
Toujours activé
The storage or technical access is strictly necessary for the purpose of legitimate interest to enable the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
Technical access or storage is necessary for the legitimate purpose of storing preferences not requested by the subscriber or Internet user.
Statistics
Storage or technical access that is used exclusively for statistical purposes.Technical storage or access that is used exclusively for anonymous statistical purposes. In the absence of a subpoena, voluntary compliance by your Internet service provider, or additional records from a third party, the information stored or retrieved for this sole purpose generally cannot be used to identify you.
Marketing
The storage or technical access is necessary to create user profiles to send advertisements, or to track the user across a website or multiple websites for similar marketing purposes.
