Forum Discussion

OleksiiD's avatar
OleksiiD
Copper Contributor
Apr 14, 2025

Security Considerations for SMTP Add-on Service Receiving Emails from Exchange Online

Hello everyone, I'm developing an email processing service for Microsoft 365 / Exchange Online customers. This service acts as an SMTP endpoint that receives all outbound emails from our customers' ...
exchange online
outbound
saas
security
Tenants
OleksiiD's avatar
OleksiiD
Copper Contributor
May 02, 2025

Here is what Microsoft EO security team answered:

 

Spoofing Possibility

Messages coming from Exchange Online IP addresses can potentially be spoofed. Since Exchange Online uses shared IP ranges for all tenants, it is possible for one tenant (or an attacker) to send emails that spoof another tenant’s MAIL FROM or from header.

Measures to Prevent Spoofing

Microsoft suggests several measures to prevent spoofing:

  1. Email Authentication: Implement SPF, DKIM, and DMARC records for your domains. These records help destination email systems verify the validity of messages claiming to be from your domains.
  2. Enhanced Filtering for Connectors: Enable Enhanced Filtering for Connectors or bypass filtering completely using a mail flow rule. This helps prevent misclassification of inbound mail and ensures a better experience for Microsoft 365 email and protection features.
  3. Spoof Intelligence Insight: Use the spoof intelligence insight feature in Exchange Online Protection (EOP) to review detected spoofed messages from senders in internal and external domains. You can manually create allow or block entries for spoofed senders.
  4. Anti-phishing Policies: Configure anti-phishing policies in EOP and Microsoft Defender for Office 365 to include anti-spoofing settings.

Trust in Envelope Sender and From Address

The third-party service can place limited trust in the envelope sender and the from address. Exchange Online Protection (EOP) validates the from address to prevent phishing by requiring inbound messages to include an RFC-compliant from address. However, the third-party service should also implement its own email authentication checks and monitor for spoofed messages.

Summary

  1. Spoofing is possible due to shared IP ranges in Exchange Online.
  2. Preventive measures include email authentication (SPF, DKIM, DMARC), Enhanced Filtering for Connectors, spoof intelligence insight, and anti-phishing policies.
  3. Trust in sender information should be limited and supplemented with additional checks by the third-party service.

Resources