Arm your users against targeted phishing using the email addresses of your employees/customers/vendors/etc.

Microsoft 365

Email remains the preferred entry point for cybercriminals, both for malware distribution and for collecting credentials through phishing. Phishing attacks can take many forms. The most dangerous are those that impersonate the exact email address of your employees, customers and suppliers:

Email Spoofing

If you or your external contacts have not yet set DMARC to "reject" mode, it is relatively easy for cybercriminals to reach you through spoofed email addresses, using tools like this one:

broken image

In this article, for Exchange Online users, we will show you how to configure a "transport rule" or "mail flow rule" that allows you to notify your users when they receive an email that fails the DMARC compliance check.

What is a DMARC compliance check?

An email that fails SPF or DKIM authentication will not pass the DMARC compliance check. This email may then be viewed as suspicious by those receiving it, as there is no technical indication that it was sent by a system approved by the organisation that owns the domain name of the spoofed email address. Here is an example:

broken image

The email below was sent on behalf of "myFrenchStartup <>", by mailchimp.

However, this email was not authenticated by the domain "" with the SPF & DKIM protocols.

broken image
  • The email passes its SPF check with the domain and not the domain
  • The email passes its DKIM check with the domain and not the domain
It therefore fails the DMARC compliance check.

The domain does not tell its recipients which policy to apply (quarantine or reject) when they receive a failed DMARC email from

Using DMARC, you can tell the receiving email server how it should react when it receives a message that appears to be from your domain but doesn’t pass the SPF or DKIM authentication requirements.

Even if there is no evidence that this email was sent by, it may still be accepted in your users' mailbox.

By adding a warning message to emails you receive that fail their DMARC compliance checks, the Exchange Online transport rule below helps to mitigate your contacts' failure to protect their domains with the DMARC protocol.

Below, using this transport rule, we add the prefix "Spoofed email" in the subject of received emails that fail DMARC:

broken image

And here is the result:

broken image

This notice marker will indicate to your users that they should be careful before opening this email because it was sent by a person who may not be the person indicated in the sender's address.