When your users tells you that legitimate emails comes into their junk folder and you find out that this email has as submitted host your local exchange server.
Your senders domain: “domain.com” has an SPF record like “v=spf1 include:spf.protection.outlook.com -all” and sends you an email. The “-all” means that emails from your senders domain only can be send from the include in your senders SPF record. If you have an on-premise Exchange server and that server forward the email to your remote mailbox in Exchange Online. The email header will get the public IP of your Exchange server as submitted host and you can receive this legit email in your junk folder. Because SPF will authenticate on “smtp.mailfrom:” in the “Authentication-Result” header. With Enhanced Filtering turned on, the public IP from your Exchange server will be skipped.
- Go to https://protection.office.com/
- Treath management -> Policy -> Enhanced Filtering for Connectors
- Inbound from “your inbound conector”
- Choose: automatically detect and skip the last IP address (recommended)
- Choose: apply to a small set of users (recommended) -> First test it for a small set, for example the IT department.