Tons of DMARC failures on new tenant

Posted by ddiggler15@reddit | sysadmin | View on Reddit | 7 comments

We just migrated to a brand new tenant with tighter spam/phishing rules. One new rule is we’re rejecting dmarc failures, like we should. However we are straight up blocking 1000’s of messages now. Some we’re tracing back to Microsoft IPv6 blocks that seem to be in the sender’s SPF records. Are we missing something? Besides for lowering security I don’t see anything to do. So far we’ve held the higher up’s back by saying it’s the senders fault but that’s not going to last too much longer.

[-]

Gtapex@reddit

I can’t tell if you’re talking about inbound or outbound email traffic.

[-]

power_dmarc@reddit

Use Phased Approach:

Identify & Monitor: Enable DMARC reports, check Microsoft IPv6 SPF, verify internal mail auth.
Reduce False Positives: Switch to p=quarantine, whitelist verified senders, use Advanced Delivery policies.
Enforce & Optimize: Gradually revert to p=reject, educate failing senders, enable Microsoft DMARC overrides.By following this phased approach, you can ensure that legitimate emails are not blocked while maintaining security.

[-]

Usual_Highway_6154@reddit

Hey hope you are well! Could you please advise have you moved to a dmarc reject policy? You mention the failures of spf this is quite common! SPF is just IP address validation however when forwarding occurs it does break. DKIM is a much stronger authentication mechanism and can handle forwarding without breaking authentication. If you moved directly to DMARC reject I would suggest moving back to a policy of none and monitoring your reports and ensuring all valid services are correctly authenticated with spf and dkim. A reporting tool that you could use is Dmarclytics.io

[-]

jstuart-tech@reddit

If you have suddenly turned on DMARC in p=reject with no testing, your gonna have a bad time.

Don't go straight to reject, DMARC is a process!

In your Anti-Phishing settings set this

If the message is detected as spoof and DMARC Policy is set as p=reject:
Quarantine the message

Microsoft also has a great infographic on DMARC troubleshooting

https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure#troubleshooting-dmarc

[-]

MalletNGrease@reddit

You really should've ran an aggregate service to do some analysis, then ran quarantine for a while for results prior to moving to rejection. I've used valimail for this.

I'm still seeing tons of spf failures for items within configured spf records, but a DKIM record produces a DMARC pass. This mostly affects mail coming from high volume mail service providers.

Add DKIM keys.

[-]

BbqLurker@reddit

DMARC none = take no action. DMARC fail = honor DMARC record.

What is your DKIM policy set to? The vast majority of small to midsize companies don’t have DKIM configured. Hell a lot of large ones don’t. You should just let DKIM failures through and rely on the expanded SPF alignment check for passing DMARC.

[-]

lolklolk@reddit

Are you rejecting/quarantined if they have a corresponding DMARC policy, or just blocking on DMARC failure period, because if it's the latter, don't do that.