Improve DMARC for Microsoft?

With Cloudflares new DMARC management, it shows a DMARC pass of only 56% from Microsoft. Is there a way to improve this number? Google is 88.4% and Sendgrid is 100% (our newsletter). I tried sending an email to someone with a microsoft setup and received: Message Blocked ; 550 5.4.1 Recipient address rejected: Access denied.

That would mean you should dig deeper, as either:

  1. 44% of your messages, that you send through Microsoft, has not been configured properly with domain authentication (e.g. DKIM, SPF), including proper alignment as required by DMARC.

  2. (Up to) 44% of your messages, have been modified or altered in transit, perhaps due to email forwarders in the chain, which have rendered previously valid DKIM, SPF or domain alignment invalid.

  3. 44% of the messages that claims to be from your domain, sent through Microsoft, have been spoofed / are fake, and NOT actually from your organisation, and DMARC works perfectly fine, and is supposed to say, e.g. 56% for Microsoft.

If the 44% that doesn’t pass DMARC is actually from your own organisation, you need to look in to the domain authentication (and alignment) and make sure that it conforms to DMARC through the organisation you send your (legitimate) messages through.

Fake or spoofed messages, as mentioned in #3 above, is nothing that you can control, and they will actually be reducing the number, when/if such stuff happens.

Depending on the address you send to, the address you send to could have been created as an email group / email list, which only allows members from within their wn organisation to send to it, which could be one of many potential reasons, why you’re seeing that “Recipient address rejected: Access denied.” message.

That email rejection may not even be related to the above enquiries regarding DMARC.

Where exactly are you sending the initial message from, when you see that rejection?

1 Like