alot of users getting spam


a few of our users are getting spam emails that make it seems that the emails are from microsoft.

some are received from their own email address.

upon checking the header, we found this.

dmarc failed.

what else can we do to block such span emailspam2.jpg


Authentication-Results: spf=none (sender IP is;; dkim=none
(message not signed) header.d=none;; dmarc=fail
action=none;compauth=fail reason=601
Received-SPF: None ( does
not designate permitted sender hosts)
Received: from ( by ( with Microsoft


2 Replies

Well, compauth=fail is a very strong signal, although I'm not sure what reason 601 exactly is. In any case, the message should have been marked as phish or spam. Read more here:

I do it in a couple of steps. allow through if Authentication-Results header includes dkim=pass and \ Then Quarantine anything with (?i)microsoft in the header. You have to be specific and can't just look at spf or dkim=pass without looking at what it's passing.