How do you fix “dmarc=fail action=oreject”?
Updated July 3, 2026
This header means the message failed DMARC against a p=reject policy, and Microsoft chose to override the reject (“oreject”), delivering it to junk or quarantine instead of bouncing it.
Why this happens
Microsoft 365 historically didn't honor p=reject literally. Instead of refusing the message, it marks it dmarc=fail action=oreject (override-reject) and routes it to junk or quarantine, on the reasoning that legitimate mail, especially forwarded mail, fails DMARC often enough that hard rejection loses real messages. Tenants can change this behavior in their anti-phishing policies, but oreject is the classic default.
The message still genuinely failed DMARC: neither SPF nor DKIM passed with a domain aligned to the From address. If this is your own mail showing oreject in someone's Microsoft tenant, you have an authentication gap: an unauthenticated sending source, a broken DKIM signature, or an alignment mismatch such as a bounce domain that doesn't match your From domain.
Microsoft also stamps a composite authentication verdict, compauth, in the same header. compauth=fail with reason=000 or 001 means explicit DMARC failure; reason=1xx codes mean the message passed or was allowed; 6xx/7xx mean tenant rules overrode the verdict. Reading compauth alongside action=oreject tells you whether Microsoft junked the mail for DMARC or for something else.
How to fix it
- 1
Read the full Authentication-Results header
Get the headers from a message that shows action=oreject and note three things: the SPF result and domain, the DKIM result and domain, and the compauth reason code. This tells you which mechanism failed and whether alignment was the problem.
- 2
Check whether the mail is even yours
If the oreject mail is spoofing (someone forging your domain), then this is your p=reject policy working, softened by Microsoft to junk. Nothing to fix on your side; your aggregate reports will show the offending source IPs.
- 3
Fix alignment for legitimate sources
For your own mail failing: make sure the sending service signs DKIM with your domain (not the provider's default like sendgrid.net), and that the SPF-checked bounce domain aligns with your From domain. Aligned DKIM is the priority: it survives forwarding, which is where most oreject noise comes from.
- 4
Handle forwarding and mailing lists
Forwarded mail breaks SPF and often DKIM, so it fails DMARC no matter what you do. If a specific partner's tenant junks your forwarded mail, their admin can whitelist the forwarder or rely on ARC; you can't fix third-party forwarding from your DNS.
- 5
Verify with your DMARC reports
Confirm your fix in aggregate reports: the source should flip to DKIM-aligned pass. Run your domain through our DMARC report analyzer to see pass rates per source rather than guessing from individual headers.
Verify the fix
Run the check that corresponds to this error. You'll see the same red/amber/green verdicts mailbox providers effectively apply.
Open the DMARC report analyzer →Preventing it next time
action=oreject is easy to miss because nothing bounces: your mail just quietly lands in junk folders across Microsoft tenants. DMARCPath monitors your aggregate reports and alerts you when a legitimate source starts failing DMARC, so you see the authentication gap the day it opens instead of weeks later when a customer says your quotes stopped arriving.
Frequently asked questions
- Does oreject mean Microsoft ignored my p=reject policy?
- Partly. Microsoft downgraded your reject to junk/quarantine rather than refusing the message. Tenant admins can configure their anti-phishing policy to honor p=reject with a hard reject instead.
- What's the difference between oreject and pct or sp overrides?
- pct= and sp= are overrides you set in your own DMARC record. oreject is the receiver overriding your policy at their end. You can't control it from DNS; you can only make sure legitimate mail passes DMARC so the verdict never applies.
- What does compauth=fail reason=001 mean?
- Composite authentication failed because the message explicitly failed DMARC with a reject or quarantine policy. Reason codes starting 6 or 7 mean tenant transport rules or policies overrode the result instead.
Catch this before your customers do
DMARCPath watches your domain's authentication continuously and alerts you the day something breaks, not the week a customer mentions your emails stopped arriving. One domain free.
Start monitoring free →