Unwanted SPF fails in the junk folder

Keep SPF fails away from the user’s junk folder!


Root cause

By default SPF fails will not land automatically in the quarantine in Exchange Online. I recently had a case that users are getting SPF fails in their junk folder and the sending domain only had an active SPF record. Of course you assume that if you have the -all (hard fail) rating, the receiving server will not let the messages go through, if they are send from an unauthorized server. However, this works differently for each mail server, on how they are handle the SPF fails.

Solution

You can enable some features in the ATP anti-spam and anti-phising settings to send SPF fails from external and internal (spoofing) domains to the quarantine, without using a mailflow rule.

Internal domains

For internal domains, you can enable spoof intelligence in ATP anti-phising policies.

  • Login at: https://protection.office.com/antiphishing
  • Open your policy (default or custom)
  • Go to “Spoof”, edit and enable it (if not already enabled).
  • Actions
  • If email is sent by someone who’s not allowed to spoof your domain
    • Quarantine the message
External domains

For external domains, you can turn on “SPF record: hard fail” in the anti-spam policy.

  • Login at: https://protection.office.com/antispam
  • Edit “Default spam filter policy ‎(always ON)‎” or your custom policy.
  • Go to “Spam properties”
  • Under “Mark as spam”
  • Toggle on “SPF record: hard fail”

Now SPF hard fails will get the HSPAM (High confidence spam) label in the Protection Policy Category from the Forefront Antispam Report Header.

  • Back to the spam filter policy
  • Open Spam and bulk actions
  • High confidence spam
    • Quarantine the message

Share this: