Forum Discussion

Copper Contributor

Jan 21, 2019

Why are my users getting spoofed messages when I have SPF, DMARC, DKIM enabled?

Recently, I had a user forward an email to me that was from a spoofed email account in our organization (the email was from an outside email server and had been relayed off another mail server with a...

MVP

Jan 24, 2019

The SCL score of this message is -1, meaning that the anti-spam action was bypassed due to "trusted sender" or similar exception, as suspected. In particular, the SFV:SKA value indicates, that you have allow list as detailed here: https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spam-message-headers

SFV:SKA

The message skipped filtering and was delivered to the inbox because it matched an allow list in the spam filter policy, such as the Sender allow list.

There's nothing wrong on Microsoft side, it's admin/user configuration that is allowing this message to pass through the antispam filter. Check your policy settings, transport rules and the mailbox settings.

acstech1

Copper Contributor

Jan 24, 2019

I don't have any of those things enabled related to the original servers where the message originated.

carolina.valencia@productos.com.co does not appear in the user's safe sender list

We have no tunnels on our end related to mail.comsisnet.com (212.124.108.234)

My guess is that Microsoft is seeing that spoofed address as the sender and letting everything through since the spoofed address is in my org.