Forum Discussion
Analyzing message header
MicrosoftThe fact that enough emails where your domain is spoofed are reaching your users means that the 3rd party spam filter is not doing the best job or is not configured correctly. Those spoofed emails should be stopped/marked as spam there, at the 3rd party spam filter level. It's also important if your SPF record ends in ~all (soft fail) or -all (hard fail). Many anti spam solutions won't mark as spam an email for which the SPF check soft failed.
In this configuration, Sender - 3rd part spam filter - Exchange on-premise - Exchange online, you are not using the full capabilities of Exchange Online Protection. Ideally, the MX record should point to EOP.
Thanks Victor,
i still think its bad that EXO/EOP is failing on this SPF check on connecting IP and not also checking X-Origin-IP header (which should be IP of mail server sending out mail).
What if customer do not use 3rd party spam filter but still want mail to go through on-premise server(for benefits like better messagetrace) ?
That EOP blindly accepts all message arriving on-premise server is not of best security imo :)
- Victor_Ungureanu
The X-Originating-IP header doesn't contain the IP address of the original sending server, but the IP of the PC were Outlook or OWA was used to compose and send that email. EOP has no way of evaluating the IP of the initial sending server.
Exhange Online has much improved message tracking capabilities compared to Exchange on-premises.
think you are mixing between X-origin-IP and X-Orginating-IP. Last one is IP of end user.
Messagetrace in EXO is NOT better than On-premise. In EXO you can only trace message 1 week back for real time view. If you need older than 7 days, you have to wait 2-4 hours before the results are sent to your inbox.
