You my friend seems pretty much fed up with 0365

Basically 90% of emails that have a valid SPF/DKIM records, but no DMARC record fails their comp auth and ends up in in the users junk folder. These are companies using third party senders like mailchip, sendgrid, shopify, etc..

Yet temp errors to SPF and DKIM with no DMARC = compauth pass.. um what?

There’s no point submitting to Microsoft because every single time the verdict is “should have been blocked”

Meanwhile my tenant allow/block list grows by the day that it almost seems pointless having spoof intelligence enabled.

I’m regretting moving from Google Workspace to O365 that’s for sure.

our connector is setup to run all emails internally (RouteAllMessagesViaOnPremises : True), and still some of emails end up in EOP quarantine. We are getting SPF soft fail and SPF fail error when I lookup headers. Any hints?

Thanks,
M

I’ve been seeing that type of spoofing, if sent from another domain that uses office365 then SPF will pass if it’s set up correctly (spoofers/phishers often do).

To combat this i created a rule to check for the presence of “dkim=fail” in the Authentication-Results header. Legit inter-domain emails won’t have a DKIM signature if sent through office365, but spoofed inter-domain emails will have a DKIM signature for the originating domain. This will cause DKIM to fail.

Create a rule that looks for that header for emails sent FROM domain TO domain, if the header matches dkim=fail then it’s likely a spoofed email.

– If sender domain = example.com
and
– If recipient domain = example.com
and
– Authentication-Results header includes dkim=fail
then
– Quarantine and send Email incident report.

v=spf1 include:spf.protection.outlook.com -all

authentication-results: spf=pass (sender IP is 88.198.181.214)
smtp.mailfrom=n2g35.com; microsoft.com; dkim=pass (signature was verified)
header.d=zsvr.org;microsoft.com; dmarc=pass action=none
header.from=zsvr.org;compauth=pass reason=100

What else can we do to find out whats the reason for these mails being marked as spam and to avoid that ? Is there any technical support site that we can contact ? When going to outlook.com support there is only support available for the product itself but not for technical questions like these.

Escalate the ticket. It’s true at all that they don’t support the Exchange admin center, that is rubbish. You’re paying for Office 365 support and that includes support for spam filter configuration issues.

Note also that those aren’t the only spam filter options. There is also the international options and the advanced options you can see there. Some of the options are only surfaced in the Security and Compliance Center (the phishing controls for example). A setting you can’t see in the EAC might be causing the filtering decisions. Also, inspecting the headers of the false positives and comparing with the antispam heaer documentation on TechNet should help you narrow down what is causing the filtering to happen.

Have you seen headers from Office 365 showing why your messages were junked?