Microsoft 365
      Back to home
      1. Help Center
      2. Scripts
      3. Microsoft 365

      Sendmarc Microsoft 365 DMARC Reject Exchange Online Transport Rule

      PowerShell Script to create an Exchange Transport Rule to automatically Reject DMARC Fail emails.

      !Important!

      Sendmarc provides no support for PowerShell scripts and these are executed at your own risk. 

      Sendmarc takes no responsibility for any issues that this script might cause.

      Please read through the code before executing the script

       Please copy the contents of this script below into a TXT file and rename the file as "Sendmarc Microsoft 365 DMARC Reject Enabler.ps1"

      Should the script successfully execute, a log file will be created at C:\Sendmarc\nameofscript.txt

      Please review this article on how to execute a PowerShell Script:

      How To Run PowerShell Scripts

      Script Objective

      The objective of this script is to create a DMARC reject rule on DMARC failures using an Exchange Transport Rule.

      The script will query you to login into MS365, please ensure the account you are logging in with has access to security.microsoft.com.

      Do Not Run This Script If Your Own Domains Are Not On P=REJECT

      Script Contents

      #SENDMARC MS365 DMARC FAIL TRANSPORT RULE ENABLER
      #Author: Brian Goosen - brian@sendmarc.com
      #Usage of this Script is at your own risk.
      #COPYRIGHT SENDMARC
      #V2.0

      #Changelog
      #Added Functions to drive application flow

      $hostGui = $Host.UI.RawUI
      $HostGui.WindowTitle = "Sendmarc MS365 DMARC Fail Exchange Transport Rule Enabler V2.0"
      $HostGui.ForegroundColor = "White"

      # Check if the script is running with administrative privileges
      $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

      # If not running as admin, relaunch the script with elevated permissions
      if (-not $isAdmin) {
          Write-Host "This script requires administrative privileges. Please run the script as an administrator." -ForegroundColor Cyan
          
          # Relaunch the script with elevated permissions
          Start-Process powershell.exe -Verb RunAs -ArgumentList "-File $($MyInvocation.MyCommand.Path)"
      }

      # Generate a timestamp for the log file name
      $timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
      # Create a log file path
      $logFilePath = "C:\Sendmarc\Sendmarc_MS365_DMARC_Fail_Exchange_Transport_Rule_Enabler_LogFile_$timestamp.txt"
      # Start logging
      Start-Transcript -Path $logFilePath

      Write-Host "===============================================================" -ForegroundColor Green
      Write-Host "Sendmarc MS365 DMARC Fail Exchange Transport Rule Enabler" -ForegroundColor Green
      Write-Host "Author: Brian Goosen" -ForegroundColor Green
      Write-Host "Email: Brian@sendmarc.com" -ForegroundColor Green
      Write-Host "COPYRIGHT SENDMARC 2023" -ForegroundColor Green
      Write-Host "===============================================================" -ForegroundColor Green
      Write-Host "" -ForegroundColor Cyan

      Write-Host "*****ONLY RUN THIS SCRIPT IF YOU ARE ON DMARC REJECT FOR ALL DOMAINS IN MS365*****" -ForegroundColor Red


      function LaunchApplication {
          #Confirm Application Launch
          $title = 'Configure MS365 DMARC Reject Transport Rule'
          $question = 'Do you want to continue?'
          $choices = '&Yes', '&No'

          $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)
          if ($decision -eq 0) {
              ConnecttoMS365
              GetTransportRules
              CreateDMARCRejectTransportRule
              GetTransportRules
          }
          else {
              Write-Host "Script Aborted" -ForegroundColor Red
              Exit
          }
      }

      function ConnecttoMS365 {
          Write-Host "Checking if ExchangeOnlineManagement is installed" -ForegroundColor Cyan
          if (-not (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
              Write-Host "Installing ExchangeOnlineManagement Powershell Module" -ForegroundColor Cyan
              Install-Module -Name ExchangeOnlineManagement -Force -Scope CurrentUser
          }
          else {
              Write-Host "ExchangeOnlineManagement is installed" -ForegroundColor Cyan
          }

          Write-Host "Importing ExchangeOnlineManagment" -ForegroundColor Cyan
          Import-Module ExchangeOnlineManagement
          Write-Host "Connecting to MS365" -ForegroundColor Cyan
          Write-Host "Please Log into MS365" -ForegroundColor Cyan
          Connect-ExchangeOnline
          Write-Host "Connected to MS365" -ForegroundColor Cyan
      }

      function GetTransportRules {
          # Get all transport rules
          $TransportRules = Get-TransportRule

          Write-Host "All Transport Rules:"
          # Output the rule details
          foreach ($Rule in $TransportRules) {
              Write-Host "Rule Name: $($Rule.Name)" -ForegroundColor Cyan
              Write-Host "Enabled: $($Rule.Enabled)" -ForegroundColor Cyan
              Write-Host "Conditions: $($Rule.Conditions)" -ForegroundColor Cyan
              Write-Host "Actions: $($Rule.Actions)" -ForegroundColor Cyan
              Write-Host "---------------------" -ForegroundColor Cyan
          }
      }

      function CreateDMARCRejectTransportRule {
          #Confirm DMARC Reject Transport Rule Creation?
          $title = 'Create DMARC P=REJECT Transport Rule?'
          $question = 'Do you want to continue?'
          $choices = '&Yes', '&No'
          $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)
          if ($decision -eq 0) {
              Write-Host ""
              Write-Host "Please Provide an Email Address to recieve incident reports" -ForegroundColor Cyan
              $IncidentReportEmail = Read-Host
              Write-Host "Creating New Exchange Transport Rule..." -ForegroundColor Cyan
              New-TransportRule -Name "Sendmarc DMARC Transport Rule P=Reject Mails Are Rejected" -HeaderContainsMessageHeader "Authentication-Results" -HeaderContainsWords "dmarc=fail action=o.reject", "dmarc=fail action=oreject" -RejectMessageEnhancedStatusCode "5.7.1" -RejectMessageReasonText "We are rejecting this email based on the Sender domain's DMARC policy. This sender/service is not properly authorized to send on behalf of this company." -GenerateIncidentReport $IncidentReportEmail
              Write-Host "Transport Rule Created" -ForegroundColor Cyan
              Write-Host ""
          }
          else {
              Write-Host "Script Aborted" -ForegroundColor Red
              return
          }
      }

      LaunchApplication

      Write-Host ""
      Write-Host "==================================================" -ForegroundColor Cyan
      Write-Host "Thank you for choosing Sendmarc!" -ForegroundColor Cyan
      Write-Host "==================================================" -ForegroundColor Cyan


      # Stop logging
      Stop-Transcript
      # Display the path of the log file
      Write-Host "Log file created: $logFilePath"
      Write-Host "Press Enter to Close This Program" -ForegroundColor Cyan
      Read-Host "..."

      Need Help?

      Sendmarc does not provide any support for PowerShell scripts and are run at your own risk.