I recently enabled DMARC for all of my domains. Upon testing DMARC with o365 there are several issues with the way o365 has it enabled.
I use the p=REJECT option. I do this because I don't want people receiving spoofed emails from any of my domains. o365 instead of rejecting the message actually QUARANTINES the message. This is currently MS policy because they have too many clueless admins that complain about the P=reject (that they set) actually rejecting messages. Seriously, if we are going to dumb down this functionality what other Security features in o365 have been dumbed down because of clueless admins.
o365 fails to send the summary report about 99% of the time. I have sent 30 test messages over the course of the last month, and so far I have only received 1 summary message. Support says there is nothing wrong with this and it is working as it is supposed to.
The 1 report it did send magically came from HOTMAIL. Seriously we can't update to reflect office 365.
Gary Morris commented
I really dislike the way MS handles DMARC half the spoofed mail still comes through any way, not signed by dkim and not in Smtp but still MS lets it through. Guessing this is about getting customers to pay more for their services but I don't see how you can call it DMARC if it doesn't work that way
Povl H. Pedersen commented
policy=reject MUST be handled as per RFC. REJECT the mail.
As it is now, I can not test my SPF/DMARC records against O365, and company users using shady mailservers do not get the same experience as most end-users by the failure to implement the RFC correct.
Please handle DMARC policy=reject as per RFC
And please add support for sending RUA reports. Not that critical though.
As a help to others, Get-PhishFilterPolicy will return domains sending spoofed mails to your tennant (dmarc fail)
Jeremy Hinkle commented
I'm only voting for this because this has the most votes regarding DMARC policy. Per Microsoft's policy, if your DMARC is set to p=reject, Microsoft will treat it as p=quarantine and send it to the user's mailbox (junk mail folder). Microsoft needs to treat everyone's DMARC policy to what the admin set it to - just like any other mail provider. Microsoft shouldn't be undermining the DMARC policy that I set for my organization. Now we have to add additional checks because they think they know what's best for me and our organization.
Rinch Anderson commented
Further to this, the p=quarantine action doesn't quarantine the message, but marks it as spam, as apparently does the p=none action? wtaf?! 2 years later nearly...