office 365 mail SPF Fail but still delivered

Thanks for Geno_C7 for posting a rule solution for this Microsoft Exchange (ME) security hole.  Here it is August of 2025 and it's still plaguing some of us.  In our case, Microsoft thinks its a clever trick to bypass the outbound Exchange mail connector protocols when the spoofing domain is also hosted on ME.  SPF=FAIL?  Ignored!  The fact that the messages Recieved-SPF says that our domain does not designate the spoofing domain as an allowed sender?  Ignored! 🤔 So, for those other Exchange Admin Center admins suffering, unable to stop these spoofed messages, here is the Mail Flow rule that we adapted from Geno_C7's for 2025.

Apply this rule if: the message headers...row begins with Received-SPF. If that row contains '%our domain% does not designate,' then Prepend the subject line with 'Mail Spoof ==> (SPF=FAIL): '  Where %our domain% is our domain name (Conteso.Com for instance) as shown in the message header.  The prepended subject line gives ample warning to the intended E-mail recipient to be wary that the message was malicious.