Keep SPF fails away from the user’s junk folder!
By default SPF fails will not land automatically in the quarantine in Exchange Online. I recently had a case that users are getting SPF fails in their junk folder and the sending domain only had an active SPF record. Of course you assume that if you have the -all (hard fail) rating, the receiving server will not let the messages go through, if they are send from an unauthorized server. However, this works differently for each mail server, on how they are handle the SPF fails.
You can enable some features in the ATP anti-spam settings to send SPF fails to the quarantine, without using a mailflow rule.
The following steps will turn on “SPF record: hard fail” in the anti-spam policy.
- Login at: https://protection.office.com/antispam
- Edit “Default spam filter policy (always ON)” or your custom policy.
- Go to “Spam properties”
- Under “Mark as spam”
- Toggle on “SPF record: hard fail”
Now SPF hard fails will get the HSPAM (High confidence spam) label in the Protection Policy Category from the Forefront Antispam Report Header.
- Back to the spam filter policy
- Open Spam and bulk actions
- High confidence spam
- Quarantine the message