In the world of email security, DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a cornerstone of defense against email spoofing and phishing attacks. However, we recently observed a rare scenario where DMARC’s protection can be inadvertently bypassed—and it highlights the importance of having backup measures in place.
Here’s the situation: when a domain’s DMARC record cannot be evaluated due to a DNS server issue, Exchange Online Protection (EOP) does not automatically block or quarantine the unauthenticated email. Instead, the email passes through the usual antispam filters. In some cases, this means malicious emails may still slip through and land in users’ inboxes, leaving them vulnerable to phishing or fraud attempts.
Why Does This Happen?
DMARC relies on DNS for policy evaluation. If the DNS servers hosting the DMARC record of a sender domain are temporarily unavailable or slow to respond, the lookup fails. In this "temporary DNS error" state, Exchange Online Protection continues processing the email through its standard antispam mechanisms without applying DMARC-specific enforcement.
While antispam filters are robust, they are not infallible. An email crafted to evade antispam measures but still fail DMARC authentication could potentially reach end users.
The Simple Solution: Configure a Transport Rule
To address this rare yet significant vulnerability, administrators can configure a transport rule in Exchange Online Protection (EOP) to take action when a DMARC lookup results in a temporary error.
Steps to Create the Rule:
- Access the Exchange Admin Center (EAC): Log in to your Microsoft 365 portal and navigate to the Exchange Admin Center.
- Create a New Rule: Go to Mail Flow > Rules, and create a new rule.
- Set the Condition: Configure the condition to match emails where the DMARC lookup result is "temperror" (temporary error).
- Define the Action: Set the action to mark these emails as spam.
- Recommendation: Do not reject these emails outright, as legitimate senders could also experience temporary DNS issues. Marking them as spam ensures users are protected without risking the loss of valid communications
Final Thoughts
While this DMARC bypass scenario is rare, it underscores the importance of layered email defenses. A simple transport rule in Exchange Online Protection can serve as an additional safeguard, ensuring that even when DMARC fails due to external factors, your users remain protected.
Stay vigilant, and keep your email defenses proactive and resilient against evolving threats!