In this post, I’ll show you how to partially enable SPF checks by requiring that the SenderID/SPF check is a pass for incoming email from a specified list of domains in Exchange 2013 and Exchange 2016. This is particularly useful if you receive legitimate email from financial institutes or other organizations which may request sensitive information and where these domains are often spoofed but you don't yet want to reject all email that fails the SPF check.
SPF is not a new way of detecting spoofed email but SenderID/SPF checks on incoming mail has not yet been enabled by many of the mail servers across the internet. This may be due to a lack of understanding or confidence in the system. If this includes you then have a read of these posts to get a better understanding:
Ensure that you have completed these steps from How to prevent spoofed email part 1 before continuing:
- Configure the InternalSMTPServers property on your transport servers
- Install the Anti-Spam agents on Exchange
How to require an SPF pass for email from particular domains
To do this, we will create a new transport rule to look at the Received-SPF header on incoming email from outiside the organisation that is from our list of domains for which we only want to receive email if they pass the SPF check.
The email headers for an email that passes the SPF check looks like this:
Received-SPF: Pass (svr01.domain.co.uk: domain of firstname.lastname@example.org designates 126.96.36.199 as permitted sender)
We will configure our rule to look for the text pattern “Pass ” in the Received-SPF header. Note the additional space on the end to prevent a false positive for any email addresses that include the string “pass”.
First, log into the Exchange Admin Center using an account which is a member of the Organization Management group then click on mail flow in the left pane:
Next, click on the + icon, select create a new rule and provide a name for your new rule like “Require SPF Pass”:
Once done, click on More options… to make the additional conditions and options visible. We will apply the rule if the sender’s domain is contoso.com or tailspintoys.com. Click on the Apply this rule if… drop down and select the senders’s domain is… then add your domains in the list:
Click OK when done.
Our next step is to apply these rules to only email from outside the organization. To do this, click add condition and then select the sender is external/internal… Select Outside the organization:
Click OK. In this next part we’ll configure an action for email that is not an SPF pass. You can select one of many actions:
- Redirect the email to another mailbox (e.g. a spam mailbox)
- Forward the message for approval (by an administrator or other)
- BCC the message to another address
- Prepend the subject of the message with a string (to notify the user that this email is not from a trusted source)
- Block the message (with or without an NDR)
In this example, we’ll block the message without sending an NDR to the sender. If you go with this approach, ensure that this sender is always sending email from IPs on their SPF record otherwise you will start to reject legitimate email. If they are not then it’s best to go with one of the less drastic approaches above.
Under the do the following heading, select Block the message…delete the message without notifying anyone as below:
Now this blocks all messages from tailspintoys.com and contoso.com originating from outside the organization. We now want to make an exception so that we allow only those emails that have a Pass in the Received-SPF header field. To do this, click on add exception then select A message header…matches these text patterns
Click on Enter text… and enter Received-SPF to provide the header name:
Click OK then click on Enter text patterns…. Set the text pattern to “Pass ” (yes, there is a space after the word Pass) then click the + icon:
Click OK then click on Save.
In this post, I’ve demonstrated how to set up a new transport rule in Exchange to ensure email from particular domains are only delivered if they pass the SPF checks.