An SPF policy(s) that designates approved IPs is published
The Sender Policy Framework (SPF) is a mechanism that allows domain administrators to specify which Internet Protocol (IP) addresses are explicitly approved to send email on behalf of the domain, facilitating detection of spoofed emails. SPF is not configured through the Exchange admin center, but rather via the Domain Name Service (DNS) records hosted by the organization’s domain.
- To help prevent spoofing, you can set up SPF in Office 365 by following the guidelines on Microsoft Learn.
- For a detailed explanation on how the Sender Policy Framework (SPF) prevents spoofing, refer to How Sender Policy Framework (SPF) prevents spoofing in Office 365 on Microsoft Learn.
- Adding SPF records to a domain will vary depending on where the domain is hosted. Follow these steps for configuring an SPF record for Exchange Online to ensure proper setup.
DMARC is configured for every custom domain
Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with SPF and DKIM to authenticate mail senders and ensure that destination email systems can validate messages sent from your domain. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks.
- To validate email using DMARC, follow the setup steps for DMARC in Office 365 provided on Microsoft Learn.
DMARC implementation varies depending on how an agency manages its DNS records.
- For Microsoft guidance on forming the DMARC TXT record for your domain, see the Set up DMARC for active custom domains in Microsoft 365 on Microsoft Docs.
DMARC records can be requested using the PowerShell tool Resolve-DnsName. For example:
Resolve-DnsName _dmarc.example.com txtReplace “example.com” in the example with the domain(s) used for your agency’s emails. Ensure that:
- the DNS record exists
- “p=reject;” is included in the policy returned from the query
Enhanced Filtering Shall be configured if a 3rd party email filtering tool is being used
Enhanced email filtering can be set up if you have a connector in 365 (3rd party email filtering service or hybrid configuration) and your MX record does not point to Microsoft 365 or Office 365. This new feature allows you to filter email based on the actual source of messages that arrive over the connector. This is also known as skip listing and this feature will allow you to overlook, or skip, any IP addresses that are considered internal to you in order to get the last known external IP address, which should be the actual source IP address.
If you are using Defender for Office 365, this will enhance its machine learning capabilities and security around safe links/safe attachments/anti-spoofing from Microsoft’s known malicious list based off IP. In a way, you are getting a secondary layer of protection by allowing Microsoft to view the IPs of the original email and check against their database.
- For detailed information on configuring enhanced filtering for connectors in Exchange Online, refer to the Enhanced filtering for connectors in Exchange Online documentation on Microsoft Learn.
- Follow these steps to configure Enhanced Filtering for Connectors on an inbound connector as described in the article "Enhanced Filtering for Connectors in Exchange Online" on Microsoft Learn.