I've recently set up an email rule to automatically delete any external emails that come from my domains. While the rule works, it is also catching emails from our external mail client that are attempting to spoof our domain. I've tried several solutions but can't allow by IP since the emails are being routed through an external mail filter. Additionally, I've made adjustments to not block if certain domain conditions are met. So far, I haven't received any assistance from vendor support. Does anyone have suggestions on how to tackle this issue?
3 Answers
Have you checked if there are any specific headers in the messages that could help differentiate that external email? Sometimes, there might be something in the headers that could help you identify these emails more accurately and create an exception for them.
Have you tried creating a rule that checks for failed SPF or DMARC in the email headers? This method can be more effective for both internal and external senders. You could set a rule to quarantine messages that show failed identity verification based on those headers. For instance, if any of the 'Authentication-Results' headers indicate an SPF failure and the message is received from outside, it can trigger a quarantine action. You can also notify the recipient about the quarantined mail with an explanation.
That does seem like a different approach, and I see your point. If I can't resolve the current issue, that could be the next step.
It sounds like your rule is functioning as intended because M365 sees any outside message claiming to be from your domain as a spoof. Unfortunately, the anti-spoofing settings don’t allow for a direct 'this spoofing is acceptable' rule. Without the ability to filter by IP, I recommend creating an inbound connector specifically for the external mail service. This will let you treat those messages as authenticated. Alternatively, you could have the vendor insert a unique header in their emails, which you can then use to bypass spam and anti-spoofing checks. Ultimately, you might also explore adjusting the external sender policy and lean on SPF and DMARC configurations instead of relying solely on blocking external senders by your domain.
I wasn't aware they were using an external sender until I noticed messages being flagged. I'm pushing to move towards rejection based on DMARC and SPF, but I haven't gotten the approval for that yet.
Headers aren't exactly my strong suit. I'm really hoping the vendor can provide a way to whitelist based on a certain header soon.