Home

Exchange Online receiving "received-spf: Fail" spam from own domain

%3CLINGO-SUB%20id%3D%22lingo-sub-294841%22%20slang%3D%22en-US%22%3EExchange%20Online%20receiving%20%22received-spf%3A%20Fail%22%20spam%20from%20own%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294841%22%20slang%3D%22en-US%22%3E%3CP%3EDear%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20users%20(Echange%20Online)%20experience%20phishing%20emails%20in%20their%20mailboxes%2C%20coming%20from%20their%20own%20email%20address.%20The%20header%20info%20states%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E...%3C%2FP%3E%3CP%3EFrom%3A%20Patrick%26nbsp%3B%20%3CPATRICK%3E%3CBR%20%2F%3ETo%3A%20Patrick%26nbsp%3B%20%3CPATRICK%3E%3CBR%20%2F%3ESubject%3A%20Fwd%3A%20New%20ORDER%3C%2FPATRICK%3E%3C%2FPATRICK%3E%3C%2FP%3E%3CP%3E...%3C%2FP%3E%3CP%3Ereceived-spf%3A%20Fail%20(protection.outlook.com%3A%20domain%20of%20xxxxx.be%20does%20not%3CBR%20%2F%3Edesignate%20173.12.213.89%20as%20permitted%20sender)%20receiver%3Dprotection.outlook.com%3B%3CBR%20%2F%3Eclient-ip%3D173.12.213.89%3B%20helo%3DLPCC-DC.lpcc.local%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20still%20they%20receive%20those%20emails.%20I%20thought%20spf%20would%20block%20any%20emails%20coming%20from%20servers%20that%20are%20not%20allowed%3F%20Our%20sfp%20record%20in%20DNS%20is%20configured%20correctly%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETXT%20v%3Dspf1%20include%3Aspf.protection.outlook.com%20-all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20how%20can%20we%20stop%20these%20spamming%20emails%20from%20entering%20our%20boxes%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-294841%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-294862%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20receiving%20%22received-spf%3A%20Fail%22%20spam%20from%20own%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294862%22%20slang%3D%22en-US%22%3E%3CP%3ESPF%20fail%20on%20its%20own%20might%20not%20be%20enough%20for%20a%20message%20to%20be%20quarantined%2C%20you%20can%20fine%20tune%20this%20behavior%20with%20the%20Advanced%20Spam%20Filtering%20options'%20Hard-fail%20toggle%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fadvanced-spam-filtering-asf-options%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fadvanced-spam-filtering-asf-options%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOr%20via%20custom%20transport%20rules%2C%20such%20as%20the%20example%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Feopfieldnotes%2F2018%2F02%2F09%2Fcombating-display-name-spoofing%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Feopfieldnotes%2F2018%2F02%2F09%2Fcombating-display-name-spoofing%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOr%20using%20the%20additional%20tools%20that%20are%20part%20of%20ATP%2FE5%2C%20if%20you%20are%20paying%20for%20this%2C%20as%20suggested%20by%20Christopher%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-294848%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20receiving%20%22received-spf%3A%20Fail%22%20spam%20from%20own%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294848%22%20slang%3D%22en-US%22%3EEnable%20impersonation%20protection%20in%20Office365%20on%20your%20domain%20in%20the%20security%20and%20compliance%20centre.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fanti-phishing-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fanti-phishing-protection%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
JorisSyen
Occasional Visitor

Dear,

 

Our users (Echange Online) experience phishing emails in their mailboxes, coming from their own email address. The header info states:

 

...

From: Patrick  <patrick@xxxxx.be>
To: Patrick  <patrick@xxxxx.be>
Subject: Fwd: New ORDER

...

received-spf: Fail (protection.outlook.com: domain of xxxxx.be does not
designate 173.12.213.89 as permitted sender) receiver=protection.outlook.com;
client-ip=173.12.213.89; helo=LPCC-DC.lpcc.local;

 

But still they receive those emails. I thought spf would block any emails coming from servers that are not allowed? Our sfp record in DNS is configured correctly:

 

TXT v=spf1 include:spf.protection.outlook.com -all

 

So how can we stop these spamming emails from entering our boxes?

2 Replies
Enable impersonation protection in Office365 on your domain in the security and compliance centre.

https://docs.microsoft.com/en-us/office365/securitycompliance/anti-phishing-protection

Best, Chris

SPF fail on its own might not be enough for a message to be quarantined, you can fine tune this behavior with the Advanced Spam Filtering options' Hard-fail toggle: https://docs.microsoft.com/en-us/office365/securitycompliance/advanced-spam-filtering-asf-options

 

Or via custom transport rules, such as the example here: https://blogs.technet.microsoft.com/eopfieldnotes/2018/02/09/combating-display-name-spoofing/

 

Or using the additional tools that are part of ATP/E5, if you are paying for this, as suggested by Christopher :)

Related Conversations