I've noticed that our transport rule in the Exchange Online Admin Center for handling impersonation emails is set to quarantine emails marked with 'spf=softfail' or 'spf=fail' from outside our organization. During a recent 30-day review, I found that no legitimate business emails were being caught by this rule, leading me to question its necessity. Given that we're seeing around 2,000 emails daily processed by this rule, could someone explain why we keep quarantining instead of outright rejecting these emails? Is there a valid concern about potential false positives? Any insights on why this approach is taken would be greatly appreciated, and I'm open to critiques on my thoughts.
2 Answers
I'm confused about this rule. It seems like using 'spf=softfail' indicates a quarantine signal. If your domain is 'company.com', which I gather is you, then isn't this rule overly cautious? It sounds like it might have been a workaround for an SPF issue, possibly after a breach on a third-party service.
In our experience, we've opted to keep emails going to quarantine rather than rejecting them outright. This approach provides valuable insight into potential issues. For instance, a high-ranking executive might accidentally use their personal email for important messages, and having those quarantined allows you to investigate and explain the situation. We only reject emails if the sending domain's DMARC policy is set to reject, so quarantining gives a layer of protection and tracking that outright rejection lacks.
That makes sense! Having a backup to pull from could definitely help in those tricky situations.
Just to clarify, yes, 'company.com' is our domain. We don’t enforce DMARC for now, which is part of the reason this rule exists, to target impersonation emails more effectively.