Skip to content
Home » How Exchange online uses COMPAUTH in inbound mail flow

How Exchange online uses COMPAUTH in inbound mail flow

Microsoft 365 Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) rely on well-established email authentication mechanisms such as SPF, DKIM, DMARC, and ARC to evaluate incoming messages. These technologies enable the platform to assess sender legitimacy at an early stage and, in some cases, block messages before performing any deeper content analysis. This approach reflects a standard and widely adopted security model.

However, when we examine DMARC results more closely, we notice an interesting behavior: some messages that return a DMARC FAIL result still reach a Microsoft 365 tenant. In many cases, these messages originate from legitimate sources and do not represent malicious activity. This observation raises an important question: how does Microsoft handle DMARC failures, and why does the platform allow certain messages with a DMARC FAIL status to pass through?

This article explores that question by presenting several real-world examples and explaining the underlying decision process. In particular, we highlight the role of Composite Authentication (COMPAUTH), a mechanism that evaluates multiple authentication signals together. COMPAUTH enables Microsoft 365 to make more nuanced trust decisions and helps administrators avoid adding complex or environment-specific exceptions within EOP anti-spam policies.

Case of an out-of-office (OOF) and automatic reply emails

An out-of-office (OOF) or automatic reply email uses an empty envelope sender (MAIL FROM). This behavior follows standard email protocol requirements for automatic responses and prevents mail loops.

As a result, the message presents a mismatch between the envelope sender and the header sender (From address). This difference breaks domain alignment requirements defined by DMARC. Consequently, DMARC alignment fails by design for this type of message.

Automatic reply

Case of application emails with envelope from and mime from different or mail with send on behalf

Some SaaS applications send emails on behalf of their customers or use a specific sender address, such as an address associated with an incident or ticket number. In these scenarios, the application sets the envelope sender (MAIL FROM) independently from the header sender (From address). As a result, the envelope sender and the MIME From address often belong to different domains.

This configuration breaks DMARC alignment requirements and leads to a DMARC FAIL result. In this context, COMPAUTH plays a key role by evaluating multiple authentication signals together. It allows Microsoft 365 to recognize legitimate messages even when strict DMARC evaluation would reject them.

Here are some samples or emaila with SOB, DMARC FAIL or BESTGUESSPASS and COMPAUTH PASS.

Composite Authentication values and raison codes

As a consequence, when you analyze an incoming email in Microsoft 365, you need to review the Composite Authentication (COMPAUTH) result carefully.

COMPAUTH provides several possible values, and for each value, a reason code explains the logic behind the evaluation. These reason codes help you understand why the platform assigns a given trust level to a message.

COMPAUTH can also return a value of NONE. In this situation, it does not influence the acceptance or rejection of the message, and the platform relies on other signals instead.

The two sections below list the possible COMPAUTH values and the associated reason codes. They come directly from Microsoft documentation (see the following link: https://learn.microsoft.com/en-us/defender-office-365/email-authentication-about). They help you understand why Microsoft 365 can accept some messages that show a DMARC FAIL result.

COMPAUTH Values

COMPAUTH Raison Codes


By Lionel TRAVERSE
Microsoft 365 Certified / MVP Microsoft 365 & Graph