After our recent post Introducing more control over Direct Send in Exchange Online, there have been more questions about scenarios that are not actually Direct Send such as senders being able to igno...
Updated Aug 07, 2025
Version 7.0
Blog Post
The docs explicitly say that messages are treated like anonymous email from the internet and all scanning en protections apply. So that means the SPF policy and processing is applied.
JS Deuten One of the big issues here is that even though they are stating (all scanning and protections apply), if those protections are not turned up or configured when some organizations assume that all mailflow is supposedly routed through their 3rd party filter protection service (i.e Barracuda, Proofpoint, etc), then this essentially opens a backdoor that the protections won't apply. We were attacked with spoofed emails that made their way through and upon investigating the headers, ALL authentication results failed. SPF, ARC, DKIM, DMARC. And our EOP is on by default, but our mail flow for all emails funnel through our 3rd party service. This attack completely bypassed our 3rd party filtering service AND EOP didn't block the failed SPF, ARC, DMARC failures. We had to do some tweaking to ensure those failures in SPF, DKIM, DMARC apply. Attackers are definitely taking advantage of this feature. Granted normal "internal" emails don't get checked for SPF, DKIM, and DMARC because they are internal, but the messages are clearly not originating internally. And we do have in place connectors that block all inbound mail directly except from our 3rd party filter service.
Do you have DMARC to Reject? Do you have Enhanced filtering for connectors configured?
https://techcommunity.microsoft.com/blog/exchange/announcing-new-dmarc-policy-handling-defaults-for-enhanced-email-security/3878883