Forum Discussion
Domain impersonation in hybrid
Hi all,
I've strange behavior in my Exchange hybrid deployment.
I have 2 internal Exchange 2016 mailbox servers and 2 Edge 2016 servers. All mailboxes are still hosted onpremises. Hybrid configuration is in place. The MX record (company.com) points to Exchange Online, emails are then routed to Edge servers and then to internal mailboxes. Outbound email is routed to the Edge servers and then to Exchange Online and to the external recipient.
I've configured the Anti Phishing policy to protect all my domains for domain impersonation. Now, every mail that is sent to extern recipients are detected as impersonation attempt of my domain "company.com". Both Edge server public IP addresses are part of my SPF record. All certificates and connector seems fine. When I send an email from onpremises to an internal mailbox that is hosted in Exchange Online, SPF check is passed and the mail is considered to be internal.
I know I can disable impersonation protection for this domain, but that is not resolving the root cause. So what could cause the detection for every single mail to external recipients?
2 Replies
- We have a similar config except that the mailboxes are on EXO and only the on-prem systems send out through our legacy Exchange. What you are describing should work.
Have you validated your SPF with someone like Dmarcian or looked closely at the headers of a repudiated mail to see what CompAuth et al are saying about you?
Do you publish DMARC and if so, what does it say about DKIM? Is your own DMARC policy repudiating you?
If you have already checked all of that, I fear that a call to Product Support lies in your future.
