MS365 allows you to receive emails from any email address. It is even possible to receive Internet mails from email addresses of your own tenant. This type of mail is qualified as “spoofing”. This type of mail arrives on MX (Exchange Online Protection) servers without needing to be authenticated. By default when an email will arrive in the name of your domain or in the name of an existing mailbox in your domain, the email will be accepted and will arrive in the “spam” folder of your users. The SPAM level of this type of email will be 5.
If you want to block this type of email to avoid any misunderstanding for your users, one solution is to add a transport rule in Exchange Online.
2. Transport rule
You must specify that the sender is located outside your organization:
Specify that the sender has an email address with one of your different domain names declared in your tenant:
You must then choose the actions that will be applied to this type of email.
A safe option may be not to delete this type of email but to send them to the MS365 quarantine:
- Add a prefix to the message such as [antispoofing]
- Raise the SPAM level from 5 to 7 in order to send the email to the MS365 quarantine and no longer to the user’s mailbox
Overall, the transport rule will include 2 criteria and 2 actions.
It is also possible to add exceptions if, for example, you want to allow your scanners to send emails without being authenticated (see the article on this subject).
You can also choose to configure this transport rule via powershell commands:
3. Quarantine access
Once this rule is in place, if a “spoofing” email arrives on your MS365 tenant, it will go directly to the MS365 quarantine and you can access it via the security administration tool:
Les mails de “spoofing” bloqués seront accessibles uniquement via la quarantaine :
The blocked “spoofing” emails will only be accessible inside the quarantine:
These emails will by default be kept for 30 days inside the quarantine.
You will also be able to list these emails using the powershell command “get-quarantinemessage” command: