cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exchange Online receiving "received-spf: Fail" spam from own domain

JorisSyen
Copper Contributor

‎Dec 04 2018 10:23 AM

‎Dec 04 2018 10:23 AM

Exchange Online receiving "received-spf: Fail" spam from own domain

Dear,

 

Our users (Echange Online) experience phishing emails in their mailboxes, coming from their own email address. The header info states:

 

...

From: Patrick  <patrick@xxxxx.be>
To: Patrick  <patrick@xxxxx.be>
Subject: Fwd: New ORDER

...

received-spf: Fail (protection.outlook.com: domain of xxxxx.be does not
designate 173.12.213.89 as permitted sender) receiver=protection.outlook.com;
client-ip=173.12.213.89; helo=LPCC-DC.lpcc.local;

 

But still they receive those emails. I thought spf would block any emails coming from servers that are not allowed? Our sfp record in DNS is configured correctly:

 

TXT v=spf1 include:spf.protection.outlook.com -all

 

So how can we stop these spamming emails from entering our boxes?

Labels:
34.5K Views
0 Likes
2 Replies
Reply
2 Replies
Christopher Hoard

‎Dec 04 2018 10:37 AM

‎Dec 04 2018 10:37 AM

Re: Exchange Online receiving "received-spf: Fail" spam from own domain

Enable impersonation protection in Office365 on your domain in the security and compliance centre.

https://docs.microsoft.com/en-us/office365/securitycompliance/anti-phishing-protection

Best, Chris
0 Likes
Reply
Vasil Michev

‎Dec 04 2018 10:56 AM

‎Dec 04 2018 10:56 AM

Re: Exchange Online receiving "received-spf: Fail" spam from own domain

SPF fail on its own might not be enough for a message to be quarantined, you can fine tune this behavior with the Advanced Spam Filtering options' Hard-fail toggle: https://docs.microsoft.com/en-us/office365/securitycompliance/advanced-spam-filtering-asf-options

 

Or via custom transport rules, such as the example here: https://blogs.technet.microsoft.com/eopfieldnotes/2018/02/09/combating-display-name-spoofing/

 

Or using the additional tools that are part of ATP/E5, if you are paying for this, as suggested by Christopher :)

1 Like
Reply