SOLVED

Data Loss Prevention - External Emails

%3CLINGO-SUB%20id%3D%22lingo-sub-2135986%22%20slang%3D%22en-US%22%3EData%20Loss%20Prevention%20-%20External%20Emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2135986%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHoping%20someone%20can%20help%20me.%20I%20have%20a%20number%20of%20DLP%20polices%20setup%2C%20which%20are%20working%20and%20alerting%20users%20as%20they%20should%20be.%20The%20issue%20I%20have%20is%20when%20DLP%20sends%20an%20alert%20externally%2C%20to%20a%20guest%20account%2C%20it%20changes%20the%20'from'%20address%20from%20the%20tenant%20domain%20to%20no-reply%40sharepointonline.com%2C%20causing%20issues%20with%20some%20client%20spam%20filters.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20have%20looked%20in%20the%20DLP%20policy%20but%20am%20unable%20to%20see%20any%20setting%20that%20will%20change%20the%20'from'%20address%20to%20the%20domain%20name.%26nbsp%3BCan%20anyone%20help%20with%20guidance%20to%20resolve%20this%20please%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERegards%3C%2FP%3E%3CP%3EBen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2135986%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20Loss%20Prevention%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Compliance%20Manager%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2136939%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Loss%20Prevention%20-%20External%20Emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2136939%22%20slang%3D%22en-US%22%3E%3CP%3EDidnt%20even%20expect%20to%20have%20DLP%20policies%20fire%20on%20Guest%20accounts.%20But%20the%20no-reply%20address%20is%20%22standard%22%20behavior%20for%20SPO%20notifications%20-%20the%20user's%20account%20will%20be%20used%2C%20if%20found%2C%20and%20if%20not%2C%20the%20no-reply%20address.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2138552%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Loss%20Prevention%20-%20External%20Emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2138552%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20response%20you%20have%20given%20is%20the%20same%20as%20I%20receive%20from%20Microsoft%20when%20I%20discuss%20how%20services%20are%20limited%20for%20Guest%20users%20in%20a%20tenant%2C%20even%20though%20their%20business%20architecture%20is%20to%20use%20BYOD%20for%20both%20devices%20and%20subscriptions.%20It%20amazes%20me%20how%20much%20is%20overlooked%20from%20a%20Guest%20account%2C%20from%20little%20things%20like%20this%20to%20big%20things%20such%20as%20authenticating%20to%20IaaS%20and%20PaaS%20services.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20in%20this%20case%20the%20%3CA%20href%3D%22mailto%3Ano-reply%40sharepointonline.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eno-reply%40sharepointonline.com%3C%2FA%3E%26nbsp%3Bis%20being%20treated%20as%20a%20spam%20email%20buy%20the%20Guests%20systems%20because%20it%20isnt%20passing%20authentication.%20I%20am%20exploring%20DMARC%2C%20DKIM%20and%20transport%20rule%20options%20to%20see%20which%20may%20be%20able%20to%20solve%20the%20issue%20in%20the%20safest%20way.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2159259%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Loss%20Prevention%20-%20External%20Emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2159259%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20doing%20a%20lot%20of%20testing%20the%20best%20solution%2C%20due%20to%20a%20number%20of%20reasons%20with%20external%20spam%20settings%2C%20was%20to%20create%20a%20Power%20Automate%20flow%20to%20pickup%20up%20the%20information%20of%20the%20DLP%20alert%20from%20an%20email%20in%20a%20shared%20mail%20box.%20The%20flow%20extracts%20the%20required%20information%20needed%20to%20inform%20the%20user%20of%20the%20event%20and%20presents%20it%20in%20a%20fully%20customised%20email%20sent%20from%20the%20shared%20mailbox.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

Hoping someone can help me. I have a number of DLP polices setup, which are working and alerting users as they should be. The issue I have is when DLP sends an alert externally, to a guest account, it changes the 'from' address from the tenant domain to no-reply@sharepointonline.com, causing issues with some client spam filters.


I have looked in the DLP policy but am unable to see any setting that will change the 'from' address to the domain name. Can anyone help with guidance to resolve this please? 


Regards

Ben

3 Replies

Didnt even expect to have DLP policies fire on Guest accounts. But the no-reply address is "standard" behavior for SPO notifications - the user's account will be used, if found, and if not, the no-reply address.

@Vasil Michev 

 

Thanks for the response.

 

The response you have given is the same as I receive from Microsoft when I discuss how services are limited for Guest users in a tenant, even though their business architecture is to use BYOD for both devices and subscriptions. It amazes me how much is overlooked from a Guest account, from little things like this to big things such as authenticating to IaaS and PaaS services.

 

It seems in this case the no-reply@sharepointonline.com is being treated as a spam email buy the Guests systems because it isnt passing authentication. I am exploring DMARC, DKIM and transport rule options to see which may be able to solve the issue in the safest way.

best response confirmed by Ben Curran (Occasional Contributor)
Solution

After doing a lot of testing the best solution, due to a number of reasons with external spam settings, was to create a Power Automate flow to pickup up the information of the DLP alert from an email in a shared mail box. The flow extracts the required information needed to inform the user of the event and presents it in a fully customised email sent from the shared mailbox.