EasyDMARC has issued a technical advisory highlighting a critical gap in Microsoft 365’s handling of DMARC, warning that organizations are not fully protected even when publishing a strict p=reject policy.
According to the company’s analysis, Exchange Online Protection (EOP) can bypass DMARC checks under certain conditions. Specifically, if an inbound message is assigned a trusted Spam Confidence Level (SCL) of -1, it skips Microsoft’s spam filtering and, in effect, DMARC enforcement. This loophole can allow internal spoofed messages, such as fake CEO@company.com emails, to be delivered despite the presence of a reject policy.
EasyDMARC points to several common misconfigurations that make enterprises vulnerable, including overly broad allow lists, legacy tenant defaults, and disabled “RejectDirectSend” settings.
The advisory stresses that DMARC in Microsoft 365 is not a “set-and-forget” safeguard. Organizations must also harden their tenant configurations to ensure external DMARC enforcement and block internal forgeries. Recommended actions include:
- Enabling the hidden RejectDirectSend setting to stop unauthenticated direct-to-MX spoofing.
- Auditing allow lists to remove excessive or legacy permissions.
- Adjusting anti-phishing policies to ensure inbound mail is evaluated against senders’ DMARC policies.
For email security and deliverability teams, the implications are significant. Without tenant-level configuration, spoofed traffic can undermine brand trust, trigger blocklistings, and damage sender reputation. The analysis reinforces a core industry lesson: DMARC effectiveness depends as much on correct implementation at the receiver as on policy publication by the domain owner.
