After our recent post Introducing more control over Direct Send in Exchange Online, there have been more questions about scenarios that are not actually Direct Send such as senders being able to igno...
Updated Aug 07, 2025
Version 7.0
Blog Post
Once again, Microsoft has failed to directly address a serious and important question I have raised in another blog post. I REALLY hope Microsoft will do so by responding to my comment, updating the blog post, and the relevant/linked documentation (How to set up a multifunction device or application to send email using Microsoft 365 or Office 365).
If an email is "Directly Sent" (e.g. contoso-com.mail.protection.outlook.com) AND that mail's P1 sending domain, envelope sender, is an accepted domain in the tenant - is that mail subject to SPF policy processing and enforcement?
None of the blogs I have read around the recent Direct Send confusion has directly answered this question and the documentation linked in this blog (and mentioned above) is vague as it says that SPF is "recommended" which suggests to this reader that mail matching the conditions I describe above may in fact not be subject to SPF policy processing.
Edit: Also I wish to point out that I really dislike Microsoft's use of the word "unauthenticated" mail when it comes to SMTP submissions between MTAs. The sending of mail is authenticated through SPF. Mail messages are authenticated primarily through DMARC-alignment. Microsoft needs to align their language with industry-standard terminology.
The docs explicitly say that messages are treated like anonymous email from the internet and all scanning en protections apply. So that means the SPF policy and processing is applied.
JS Deuten One of the big issues here is that even though they are stating (all scanning and protections apply), if those protections are not turned up or configured when some organizations assume that all mailflow is supposedly routed through their 3rd party filter protection service (i.e Barracuda, Proofpoint, etc), then this essentially opens a backdoor that the protections won't apply. We were attacked with spoofed emails that made their way through and upon investigating the headers, ALL authentication results failed. SPF, ARC, DKIM, DMARC. And our EOP is on by default, but our mail flow for all emails funnel through our 3rd party service. This attack completely bypassed our 3rd party filtering service AND EOP didn't block the failed SPF, ARC, DMARC failures. We had to do some tweaking to ensure those failures in SPF, DKIM, DMARC apply. Attackers are definitely taking advantage of this feature. Granted normal "internal" emails don't get checked for SPF, DKIM, and DMARC because they are internal, but the messages are clearly not originating internally. And we do have in place connectors that block all inbound mail directly except from our 3rd party filter service.
Do you have DMARC to Reject? Do you have Enhanced filtering for connectors configured?
https://techcommunity.microsoft.com/blog/exchange/announcing-new-dmarc-policy-handling-defaults-for-enhanced-email-security/3878883
This is true, but please note that:
- As I note in the edit to my comment above (which exited prior to your reply), "Anonymous" (IMO synonymous with unauthenticated) is incredibly vague language when it comes to the P1 address.
- The other big issue with Microsoft's language throughout this saga has been what exactly Direct Send is. It has only recently come to our collective awareness that Direct Send is not unique to P1/MailFrom domains that match a tenant-claimed domain.
QED, Microsoft still has a ways to go in making clear what Direct Send is and what it is not. Preferably, using industry standard language.
How is it vague language? Microsoft says the following:
'“Anonymous” in this context means that the messages are not attributed to any mail flow connector when they are sent to Exchange Online'
So message directly send to your Microsoft MX, are treated as Anonymous, which are subject to anti-phishing/spam policies.
Point 2 i dont know anything about this?
- Mithun_Rathinam
Microsoft
yes , that's right
