Creating Microsoft 365 Transport Rule to Quarantine Unauthorized Inbound Emails

Domain owners use DMARC reports to instruct receiving mailboxes to quarantine or reject emails from unauthorized IP addresses. This helps minimize the possibility of victims engaging with potentially fraudulent emails sent on the pretext of official conversation from your company. 

However, Microsoft works a bit differently!

Microsoft doesn’t reject emails because it considers the instances of false positives. In simpler words, sometimes genuine emails don’t pass DMARC checks and get marked as suspicious; so if such messages are rejected, genuine conversations will get hampered. Instead, Microsoft places them in spam folders so that there is still some chance that recipients will check the spam folders and pull such emails out to inboxes. 

Creating Transport Rule to Quarantine Unauthorized Inbound Emails From Internal Domains

In this scenario, the internal domains in the From address receive emails. This practice registers conversations into the quarantine folders of the desired recipients instead of placing them in primary inboxes. The check passes when the From field is exactly the same as your domain. The regulation also confirms if the DMARC check has failed for that email to understand what action has to be taken. 

It’s highly recommended that this rule be enforced on a small restricted user base before making it a domain-wide criterion. In this manner, potential issues during the testing phase will not adversely affect your entire email infrastructure. It is crucial for all authorized senders to successfully navigate DMARC to prevent legitimate emails from being flagged by mailboxes.

Image sourced from glockapps.com

These are the steps you need to follow-

1. Login with your credentials to access the Exchange Online admin center.
2. Navigate to ‘Mail Flow’ and choose ‘Rules’ from the menu.
3. Click the ‘Add’ icon and select ‘Create a New Rule.’
4. Modify the ‘Match sender address in the message’ to ‘Header.’
5. In the ‘Apply this rule if…’ field, choose the desired condition from the drop-down menu. In this case, set the rule for instances where the DMARC authentication result is ‘fail,’ and the ‘From’ domain exactly matches your own domain.
6. In the ‘Do the following…’ field, select the action as ‘Deliver the message to the hosted quarantine.’
7. Save the changes by clicking ‘Save.’

Creating Transport Rule to Quarantine Unauthorized Inbound Emails From External Domains

If you receive messages from external domains, we suggest you set a disclaimer, cautioning about potential phishing and spoofing attempts. This precaution is all the more important for external domains that don’t pass SPF and DKIM checks, offering a more nuanced approach than rejecting emails. This is important as improperly configured protocols often result in failed authentication checks for genuine emails.

Follow these steps:

1. Access your Exchange Online admin center using your login credentials.
2. Go to ‘Mail Flow’ and choose ‘Rules.’
3. Click the ‘Add’ icon to create a new rule.
4. Modify the ‘Match sender address in message’ to ‘Header.’
5. In the ‘Apply this rule if…’ field, select the condition from the drop-down menu. For instance, set the rule for cases where the DMARC authentication result is ‘fail’ and the ‘From’ domain exactly matches your own domain.
6. In the ‘Do the following…’ field, choose the action ‘Prepend the disclaimer’ and insert your desired disclaimer.
7. Optionally, add an exception to the rule, such as when the “From” header matches your domain name.
8. Save the changes by clicking ‘Save.’

Steps to Make Microsoft 365 Transport Rule to Reject Unauthorized Inbound Emails

1. Access your Exchange Online admin center by using your login credentials.
2. Navigate to ‘Mail Flow‘ and choose ‘Rules.’
3. Click on the ‘Add’ icon, then select ‘+Add a rule.’
4. Choose ‘Create a new rule’ from the drop-down menu.
5. Name your rule.
6. Under “Apply this rule if,” select “the message headers include any of these words.”
7. Click ‘Enter Text’ and choose ‘Authenticated results.’
8. Click ‘Enter words’ and choose your preferred option(s), or select all available options.
9. Under ‘Do the following,’ choose ‘Block the message.’
10. Opt for “Reject the message and include an explanation.”
11. Save the email flow rule and allow some time for it to propagate throughout the internet.
12. You’re finished.

What Else to Take Care of?

• Start by checking if your domain’s SPF and DKIM records are accurately configured. Please don’t forget that DMARC’s effectiveness relies on these two protocols only.
• We emphasize that you choose to receive DMARC aggregate and forensic reports, as they provide valuable insights into email activity from your domain and aid in the identification of potential threats.
• Start by implementing the ‘none’ policy, as it’s the most relaxing one and helps with monitoring. 
• Gradually move to stricter policies; start with the ‘quarantine’ policy and let it be deployed until you gain the confidence to reject all unauthorized emails; this confidence is difficult to come by due to occurrences of false positives.
• Don’t underestimate the importance of running your SPF, DKIM, and DMARC records through analyzing tools.