Enforcing DMARC policy (reject) on an Office 365 tenant

The domain & tenant has SPF and DKIM properly configured and DMARC policy set to p=reject. Still, emails spoofed with the domain in the From header aren’t rejected, but appear in the Junk Email folder on Office 365. People do check their Junk Email for false positives, and are still reading all the CEO frauds, sextortion letters etc.

This seems a feature instead of a bug, as described in Microsoft’s documentation:

How Office 365 handles inbound email that fails DMARC

If the DMARC policy of the sending server is p=reject, EOP marks the message as spam instead of rejecting it. In other words, for inbound email, Office 365 treats p=reject and p=quarantine the same way.

Office 365 is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list that then relays the message to all list participants. If Office 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected.

However, this reasoning has some flaws:

  • DKIM protects legitimate mail; DKIM signed messages do pass with the DMARC policy even if it fails to align with the SPF when forwarded on a mailing list. (Mailing lists should change the envelope sender to pass SPF checks, anyway, so the SPF checks are probably passed, but not aligned.)

  • By implementing p=reject instead of p=quarantine the owner of the domain has stated that the emails should be rejected. Therefore, Microsoft’s implementation is against RFC 7489, 6.3:

    p: Requested Mail Receiver policy ...     reject:  The Domain Owner wishes for Mail Receivers to reject       email that fails the DMARC mechanism check.  Rejection SHOULD       occur during the SMTP transaction. 

Is there any setting on Office 365 to alter this behaviour and reject these messages?

How can I transfer an office 365 domain to a different tenant keeping the users’ OneDrive files?

I registered user@mydomain.com with office 365 and registered the custom domain mydomain.com.

After doing this, I noticed that several users with the same domain had previously registered, thus automatically creating a tenant, the same tenant I have been put into.

Those users have put several files on OneDrive.

my situation now is:

tenant: mydomaincom.onmicrosoft.com   added domain: mydomain.com   admin user: user@mydomain.com   other users: user1@mydomain.com, user2@mydomain.com (use OneDrive files) 

Now I’d like to move the domain to another tenant, but I need to do this without deleting or changing the username of any of the existing users.

This is what I’d like to achieve:

tenant: newdomaincom.onmicrosoft.com   added domain: mydomain.com     admin user: user@newdomain.com   other users: user1@mydomain.com, user2@mydomain.com (keep OneDrive files) 

Can’t enable external sharing in Office 365 tenant

I am trying to enable external sharing in SharePoint online. It was already sharing with external people, I tried to troubleshoot few issues, so I turned it off, then I tried to turn it on again, but now I am getting this error message:

“You can’t set the sharing capability to the level you specified, because it is a less restrictive setting than either its parent site collection or your organization.”

I am doing this by going to the SharePoint admin center, then policies and clicking on “Sharing”. I drag the sliders to “New and existing guests”, for both SharePoint and OneDrive, then when I click OK, it gives me this error. This only happened when I turned off the external sharing and turned it on again.

This happened to me on 2 different tenants, is there something wrong am doing or is it a bug?


Checking tenant information in microservices

I am currently trying my hand at a microservices architecture for the first time, and I am looking to put together a multi-tenant application built on a this architecture. Tenants are created with their own subdomain, and the tenant owner can create further user accounts linked to that tenant

I currently have the identity api set up, and was thinking of composing the rest a bit like the following:

enter image description here

The Gateways are intended to be implemented as Backend-For-Frontend and would aggregate data as necessary to satisfy the client request to that gateway.

In the identity API, I use the SaasKit middleware to check the subdomain and get tenant details. I was wondering what would be the best approach to apply this tenant discovery across the rest of the services? I am wary of creating a coupling that would undermine the autonomy of microservices. Would I do my tenant discovery in the gateways and pass the tenant ID to the microservices when requests are made to the services, should I be holding local copies of tenant information in each service, or should I use SaasKit in each service and call out to the identity API in each service to get tenant information if its not already cached?

EDIT: To add some context on to how tenants are created; The tenants are created via an API call from a separate system which provides a JWT created by a central authentication service separate to this. Users are also created this way, but the users created here are authenticated here rather than the ‘other’ authentication service

Designing single plus multi tenant web application in Django [on hold]

I am about to start working on a project, a hospital management system which is supposed to have both single tenant (single hospital) and multi tenant versions. I have been trying to work out the best design pattern for the same but unable to come to a conclusion. Below are the details, hope the learned people here can give some ideas.

Single tenant version (eg: www.hospital1.com): Hospital, doctors, patients, labs, pharmacies all present on a single platform.

Multi tenant version (eg: www.hosp-aggregator.com): Multiple hospitals, each hospital has doctors, labs and pharmacies attached to it. Patients can access any hospital (to create appointments).

I need to design this in Python Django. How do I approach this while minimizing redundancy?