Rare DMARC Bypass Spotted: Safeguard Your Users with a Simple Transport Rule in Exchange Online Protection

In the world of email security, DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a cornerstone of defense against email spoofing and phishing attacks. However, we recently observed a rare scenario where DMARC’s protection can be inadvertently bypassed—and it highlights the importance of having backup measures in place.

Here’s the situation: when a domain’s DMARC record cannot be evaluated due to a DNS server issue, Exchange Online Protection (EOP) does not automatically block or quarantine the unauthenticated email. Instead, the email passes through the usual antispam filters. In some cases, this means malicious emails may still slip through and land in users’ inboxes, leaving them vulnerable to phishing or fraud attempts.

Why Does This Happen?

DMARC relies on DNS for policy evaluation. If the DNS servers hosting the DMARC record of a sender domain are temporarily unavailable or slow to respond, the lookup fails. In this "temporary DNS error" state, Exchange Online Protection continues processing the email through its standard antispam mechanisms without applying DMARC-specific enforcement.

While antispam filters are robust, they are not infallible. An email crafted to evade antispam measures but still fail DMARC authentication could potentially reach end users.

The Simple Solution: Configure a Transport Rule

To address this rare yet significant vulnerability, administrators can configure a transport rule in Exchange Online Protection (EOP) to take action when a DMARC lookup results in a temporary error.

Steps to Create the Rule:

  1. Access the Exchange Admin Center (EAC): Log in to your Microsoft 365 portal and navigate to the Exchange Admin Center.
  2. Create a New Rule: Go to Mail Flow > Rules, and create a new rule.
  3. Set the Condition: Configure the condition to match emails where the DMARC lookup result is "temperror" (temporary error).
  4. Define the Action: Set the action to mark these emails as spam.
  • Recommendation: Do not reject these emails outright, as legitimate senders could also experience temporary DNS issues. Marking them as spam ensures users are protected without risking the loss of valid communications
broken image

 

Final Thoughts

While this DMARC bypass scenario is rare, it underscores the importance of layered email defenses. A simple transport rule in Exchange Online Protection can serve as an additional safeguard, ensuring that even when DMARC fails due to external factors, your users remain protected.

Stay vigilant, and keep your email defenses proactive and resilient against evolving threats!

 

PreviousNext
Profile picture
Cancel
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save