From 8c8190bc95229b0acdd9bfc59f2e972e7d29ce36 Mon Sep 17 00:00:00 2001
From: puneethmeister <3039750+puneethmeister@users.noreply.github.com>
Date: Thu, 27 Jul 2023 00:57:05 +0530
Subject: [PATCH] Update anti-phishing-policies-about.md

---
 defender-office-365/anti-phishing-policies-about.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/defender-office-365/anti-phishing-policies-about.md b/defender-office-365/anti-phishing-policies-about.md
index cd4dde57d2..b0fbb01d9f 100644
--- a/defender-office-365/anti-phishing-policies-about.md
+++ b/defender-office-365/anti-phishing-policies-about.md
@@ -142,7 +142,9 @@ The relationship between spoof intelligence and whether sender DMARC policies ar
 |&nbsp;|Honor DMARC policy On|Honor DMARC policy Off|
 |---|---|---|
 |**Spoof intelligence On**|Separate actions for implicit and explicit email authentication failures: <ul><li>Implicit failures use the **If the message is detected as spoof by spoof intelligence** action the anti-phishing policy.</li><li>Explicit failures for `p=quarantine` and `p=reject` DMARC policies use the **If the message is detected as spoof and DMARC policy is set as p=quarantine** and **If the message is detected as spoof and DMARC policy is set as p=reject** actions in the anti-phishing policy.</li></ul>|The **If the message is detected as spoof by spoof intelligence** action in the anti-phishing policy is used for both implicit and explicit email authentication failures. In other words, explicit email authentication failures ignore `p=quarantine` and `p=reject` in the DMARC policy.|
-|**Spoof intelligence Off**|Implicit email authentication checks aren't used. Explicit email authentication failures for `p=quarantine` and `p=reject` DMARC policies use the **If the message is detected as spoof and DMARC policy is set as p=quarantine** and **If the message is detected as spoof and DMARC policy is set as p=reject** actions in anti-phishing policies.|Implicit email authentication checks aren't used. Explicit email authentication failures for `p=quarantine` DMARC policies are quarantined, and failures for `p=reject` DMARC policies are rejected.|
+|**Spoof intelligence Off**|Implicit email authentication checks aren't used. Explicit email authentication failures for `p=quarantine` and `p=reject` DMARC policies use the **If the message is detected as spoof and DMARC policy is set as p=quarantine** and **If the message is detected as spoof and DMARC policy is set as p=reject** actions in anti-phishing policies.|Implicit email authentication checks aren't used. Explicit email authentication failures for `p=quarantine` DMARC policies are quarantined, and failures for `p=reject` DMARC policies are quarantined.|
+
+Note: If the tenant recipient domain's MX record points to a different email security solution that sits in front of Office 365, then 'Honor DMARC' will not be applied because the information about the sending infrastructure is likely affected by the complex mail flow routing.  However, if enhanced filtering for connectors is enabled, we do apply “Honor DMARC” even when MX is pointed to 3rd party, and it will be treated as normal incoming message.
 
 ### Unauthenticated sender indicators