--- title: "Microsoft Announces New DMARC Policy Handling Defaults for Enhanced Email Security | DMARC Report" description: "DMARC has been an efficient email authentication tool for a long time, providing reliable email security for numerous users." image: "https://dmarcreport.com/og/blog/microsoft-announces-new-dmarc-policy-handling-defaults-for-enhanced-email-security.png" canonical: "https://dmarcreport.com/blog/microsoft-announces-new-dmarc-policy-handling-defaults-for-enhanced-email-security/" --- Quick Answer DMARC has been an efficient email authentication tool for a long time, providing reliable email security for numerous users. However, Microsoft had not been leveraging its capabilities for its email users until recently. With a new announcement recently, In an effort to \[prevent phishing\](https://dmarcreport.com/blog/phishing-smishing-vishing-everything-you-need-to-know/) and other email-based threats such as spoofing, Microsoft has made the conscious decision to respect the DMARC policy settings of its email users. This step will drastically bolster the email security of its users, providing a Related: [Free DMARC Checker](/tools/dmarc-checker/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fmicrosoft-announces-new-dmarc-policy-handling-defaults-for-enhanced-email-security%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Microsoft%20Announces%20New%20DMARC%20Policy%20Handling%20Defaults%20for%20Enhanced%20Email%20Security&url=undefined%2Fblog%2Fmicrosoft-announces-new-dmarc-policy-handling-defaults-for-enhanced-email-security%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fmicrosoft-announces-new-dmarc-policy-handling-defaults-for-enhanced-email-security%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fmicrosoft-announces-new-dmarc-policy-handling-defaults-for-enhanced-email-security%2F&title=Microsoft%20Announces%20New%20DMARC%20Policy%20Handling%20Defaults%20for%20Enhanced%20Email%20Security "Share on Reddit") [ ](mailto:?subject=Microsoft%20Announces%20New%20DMARC%20Policy%20Handling%20Defaults%20for%20Enhanced%20Email%20Security&body=Check out this article: undefined%2Fblog%2Fmicrosoft-announces-new-dmarc-policy-handling-defaults-for-enhanced-email-security%2F "Share via Email") ![Microsoft Announces New DMARC Policy Handling Defaults for Enhanced Email Security](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-record-6071.jpg) ## Try Our Free DMARC Checker Validate your DMARC policy, check alignment settings, and verify reporting configuration. [ Check DMARC Record → ](/tools/dmarc-checker/) DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users.[DMARC](https://dmarcreport.com/) has always been a robust email authentication tool. Microsoft’s latest announcement honoring senders’ \*\*DMARC policy settings is a significant step in enhancing email security for Microsoft email users. DMARC has been an efficient \*\*email authentication tool for a long time, providing reliable email security for numerous users. However, Microsoft had not been leveraging its capabilities for its email users until recently. With a new announcement recently, In an effort to [prevent phishing](https://dmarcreport.com/blog/phishing-smishing-vishing-everything-you-need-to-know/) and other email-based threats such as spoofing, Microsoft has made the conscious decision to respect the DMARC policy settings of its email users. This step will drastically bolster the email security of its users, providing a stronger line of defense against malicious activities. > DMARC reporting without automation is like watching security cameras without recording, says Brad Slavin, General Manager of DuoCircle. You see the threats in real time but you can’t go back and investigate. DMARC Report captures and classifies every aggregate and forensic report so your security team has a complete audit trail. ## What is DMARC? DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an efficient email authentication tool used widely. _It enables senders of emails to instruct servers what to do with emails sent purportedly from their domain names but fail authentication._ Thus, users can enhance their email security with [DMARC authentication](https://dmarcreport.com/what-is-dmarc/) to protect their valuable information from spoofing and phishing attempts by malicious actors. As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition. ## What is a DMARC Policy? A [DMARC policy](https://dmarcreport.com/blog/dmarc-policies-explained-how-to-choose-the-right-policy-for-your-domain/) is part of a DMARC setup that instructs the servers on what action to take concerning the **emails that fail authentication**. There are three significant policies: - \*\*_p=none:_ The server performs \*\*no restrictive measures on the unauthenticated email. - \*\*_p=quarantine:_ The server will neither allow the unauthenticated email to enter the inbox nor reject it entirely but will move it into the spam folder instead. - \*\*_p=reject:_ The \*\*server will reject the unauthenticated email. ![Dmarc analyzer](https://media.mailhop.org/dmarcreport/images/2023/08/dmarc-analyzer-34.jpg) ## About Microsoft’s New DMARC Policy Handling Announcement On July 19, 2023 , Microsoft [announced](https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-new-dmarc-policy-handling-defaults-for-enhanced-email/ba-p/3878883) its change of rule in handling the DMARC policies of its users who use Microsoft email services to send emails. Previously, Microsoft treated the ‘p=reject’ policy set by its users [as the same as](https://blog.redsift.com/email/dmarc/microsoft-announces-its-new-handling-of-dmarc-policies/) the ‘p=quarantine’ policy. It means that even if the users request to reject emails that don’t pass DMARC authentication, Microsoft would not reject it and instead only quarantines it and moves it to the junk or spam folder. It means that the email still enters the receiver’s email account spaces. However, the new DMARC policy handling defaults announced by Microsoft state that it will hereafter \*\*reject all emails that fail DMARC authentication if the policy is set to either ‘p=reject’ or ‘p=quarantine.’ Nevertheless, the new rule will not work by default if the [MX record](https://manuals.gfi.com/en/kerio/connect/content/server-configuration/mail-delivery-and-dns-records/what-is-an-mx-record-and-how-is-it-created-1210.html) in the tenant recipient’s domain refers to a third-party email security service. The user can, however, overcome it by activating ‘ enhanced filtering for connectors .’ ## Implications for Consumer and Enterprise Users The new DMARC policy handling rule by Microsoft \*\*works slightly differently for consumer users and enterprise users: ## Implication for Consumer Users For consumer users who use Microsoft email services like [MS Outlook](https://dmarcreport.com/blog/microsoft-outlook-rolls-out-its-new-authenticator-lite-feature-for-ios-and-android-users/), Live, or Hotmail, any email failing DMARC authentication will be rejected summarily if the DMARC policy is set to either ‘p=reject’ or ‘p=quarantine.’ \_Thus, **even for the ‘p=quarantine’ policy**, the unauthenticated email will not even enter the junk or spam box of the recipient. \_Instead, it will be entirely prevented from entering the email storage, thus eliminating even the minutest chances of malicious infiltration from [threat actors](https://cybernews.com/news/microsoft-hunt-threat-actors-malvertising/). ## Implication for Enterprise Users The new rule will allow [enterprise users](https://cybersecuritynews.com/aitm-phishing-attack/) to \*\*choose whether to reject or quarantine an email that fails DMARC authentication. It will be based on whether the policy is set for ‘p=reject’ or ‘p=quarantine,’ respectively. ## How Does the New Reform Enhance Email Security? DMARC is a robust email authentication tool. However, previously, Microsoft used to ignore the DMARC policy settings by users and relied on its security settings. Hence, even if Microsoft users relied on DMARC, they would not receive any benefit from it. However, with the new announcement. Microsoft has decided to \*\*honor the DMARC policy set by a sender \*\*to reject an email that fails authentication. This new move will increase the number of rejected emails that do not pass DMARC authentication. While earlier, many emails used to enter at least the spam folder, the new rule will entirely reject such emails and prevent them from entering any section of the user’s email storage. Thus, [Microsoft security](https://cionews.co.in/ltimindtree-to-leverage-microsoft-security-product/), combined with DMARC security, is geared up to significantly enhance its **users’ total email security**. ![What is dmarc](https://media.mailhop.org/dmarcreport/images/2023/08/what-is-dmarc-3857.jpg) ## Final Words [DMARC tools](https://dmarcreport.com/tools/dmarc-checker/) have been a proven solution for efficient [email authentication](https://dmarcreport.com/blog/spf-vs-dkim-vs-dmarc-difference-explained-2026/). Now with the new DMARC policy handling defaults from Microsoft, email users can be assured of their email security getting significantly enhanced. It will result in \*\*better rejection rates of unwanted emails and protect the users from malicious threats like spoofing and phishing to a much larger extent. ## Sources - [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) - [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025) - [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025) - [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489) ## Topics [ DMARC ](/tags/dmarc/)[ dmarc record policy ](/tags/dmarc-record-policy/)[ email security ](/tags/email-security/)[ News ](/tags/news/) ![Vishal Lamba](https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg) [ Vishal Lamba ](/authors/vishal-lamba/) Content Specialist Content Specialist at DMARC Report. Writes vendor-specific email authentication guides and troubleshooting walkthroughs. [LinkedIn Profile →](https://www.linkedin.com/in/vishal-lamba/) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 4m Akira flaunts victims, Idaho targets orthodontist, AI granny protects Nov 22, 2024 ](/blog/akira-flaunts-victims-idaho-targets-orthodontist-ai-granny-protects/)[ Foundational 4m Alternatives to DMARCLY's Blog Section for Learning About Email Authentication and DMARC Nov 6, 2023 ](/blog/alternatives-to-dmarclys-blog-section-for-learning-about-email-authentication-and-dmarc/)[ Foundational 4m Ambient Light Spying, Cybersecurity Prices Drop, Euro 2024 Threats Jul 10, 2024 ](/blog/ambient-light-spying-cybersecurity-prices-drop-euro-2024-threats/)[ Foundational 4m Banks Drop OTPs, Major Cyber Heist, Spying Spouses Arrested Jul 18, 2024 ](/blog/banks-drop-otps-major-cyber-heist-spying-spouses-arrested/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Microsoft Announces New DMARC Policy Handling Defaults for Enhanced Email Security","description":"DMARC has been an efficient email authentication tool for a long time, providing reliable email security for numerous users.","url":"https://dmarcreport.com/blog/microsoft-announces-new-dmarc-policy-handling-defaults-for-enhanced-email-security/","datePublished":"2023-08-11T11:17:25.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2023-08-11T11:17:25.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vishal-lamba/#person","name":"Vishal Lamba","url":"https://dmarcreport.com/authors/vishal-lamba/","jobTitle":"Content Specialist","description":"Vishal Lamba writes DMARC Report's how-to guides and vendor-specific configuration walkthroughs. His work focuses on step-by-step implementation guides for major email platforms (Google Workspace, Microsoft 365, SendGrid, Mimecast, Proofpoint, Brevo, and others), troubleshooting common SPF and DMARC errors, and translating RFC-level specifications into practical deployment procedures for IT administrators.","image":"https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg","knowsAbout":["SPF Vendor Configuration","Email Platform Integrations","SPF Troubleshooting","Technical Documentation","Step-by-Step Guides"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vishal-lamba/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/microsoft-announces-new-dmarc-policy-handling-defaults-for-enhanced-email-security/"},"articleSection":"foundational","keywords":"DMARC, dmarc record policy, email security, News","wordCount":919,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-record-6071.jpg","caption":"Microsoft Announces New DMARC Policy Handling Defaults for Enhanced Email Security","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Microsoft Announces New DMARC Policy Handling Defaults for Enhanced Email Security","item":"https://dmarcreport.com/blog/microsoft-announces-new-dmarc-policy-handling-defaults-for-enhanced-email-security/"}]} ```