Enforcement of DMARC fails. Currently DMARC fails are still delivered to the mailbox, mind you the Junk folder, but still enabled for users to take action against an identity that has failed checks. I propose that all DMARC fails do not get delivered to the mailbox, however a report be created to help administrators notify trusted senders to fix there stuff
Gary Morris commented
Whist MS thinks that the SCL level is a good work around for spoofing it really isn't. I get that Exchange is cobbled together and to build this to work correctly is painful but honestly Action Reject or Quarantine should override every setting which is what Dmarc is meant to do.
Most companies struggle as their own domain should be white listed for allowed senders to be trusted and not have to download images but of coarse when Exchange see the white list it ignores the Dmarc and allows the mail through... please add proper dmarc handling Ms can't believe the number of posts requesting it. Even if you add it into transport rules and admins have to set the policy.
Jeremy Hinkle commented
Microsoft needs to fix this! I set our DMARC policy to reject because I don't want spoofed emails to get through. Microsoft is undermining the DMARC policy I set because they think they know best. And now we have spoofed emails getting delivered to mailboxes (junk mail folder).