Tag Archives: transport rule

Sender Domain Validation check in Exchange Online

In my previous blog External Senders with matching display names I explained a Transport Rule that checked for matching display names in order to prevent phishing and possible CFO Fraud.

Another interesting solution with Transport Rules is displaying a warning message when the sender’s domain could not be validated. For example, when a message from a sender who’s SPF record is missing or not valid, it would show something like “The sender of this message could not be validated and may not be the actual sender” as shown in the following screenshot.

In this example the SPF record of the exchangefun.nl domain was missing, hence the validation error.

  • The Transport Rule to achieve this is built on two conditions:
  • The sender is located outside the organization.

The Authentication-Results headers contains one or more of the following entries:

  • dkim=fail
  • spf=TempError
  • spf=PermError
  • spf=SoftFail
  • spf=Fail
  • spf=None

For the email mentioned below, the Authentication-Results header shows the following:

Authentication-Results: spf=none (sender IP is
smtp.mailfrom=exchangefun.nl; wesselius.info; dkim=pass (signature was verified) header.d=Exchangefun.nl;wesselius.info; dmarc=permerror action=none header.from=exchangefun.nl;compauth=pass reason=105

Obviously, it fails on the spf=none entry.

To create a Transport Rule to do this, open the Exchange Online Admin Center and navigate to Rules under Mail Flow and click Add New Rule (the + icon). Use the More Options to add additional conditions to the Transport Rule.

The first condition is The sender is located and select outside the organization. The second condition is A message header includes and enter Authentication-Results for the name of the header and the DKIM and SPF entries mentioned earlier in the text of the message header. It should show something like this:

Click on Add Action and select Prepend a disclaimer. Enter a warning message like:

Warning: The sender of this message could not be validated and may not be the actual sender.

The text can be plain text or HTML formatted as shown in the following screenshot:

When you click Save the Transport Rule is saved in Exchange Online. It could take up to an hour to become effective. And when you receive a message where the domain validation failed a disclaimer is prepended to the email message:

Now you can look in the message header itself to figure out why validation failed. Hopefully this will give a heads-up to users there’s something wrong with the message (but it still can be legitimate message of course).

A special and warm thanks to my fellow MVP Michel de Rooij for his inspiration to write this blog 😉


External Senders with matching Display Names

One of my clients is experiencing phishing from where the external senders use a display name of one of the board members. An IT admin looks at the complete email address, but regular users are tempted to only look at the display name and will respond to the message. This way CEO/CFO fraud easily happens.

To avoid this, we can create a Transport Rule in Exchange Online that identifies external email with display names of internal recipients. So, when someone on the internet with a name like my name, a disclaimer is prepended to the message. This way recipients always know it is not an internal message and it will look something like this:

To create a transport rule there are two conditions:

  • Sender is located outside the organization.
  • From message header matches one or more internal display names.

If these conditions are met, a warning message is prepended to the email message.

Open the Exchange Admin Console and navigate to Rules under Mail flow. Create a new rule (use the More Options to add additional conditions. Select the external sender option and select the message headers matches option. Enter the ‘From’ header enter the display names as shown in the following screenshot:

In the Do the following… dropdown box select prepend the disclaimer option and enter a warning message, something like:

This message was sent from outside the company by someone with a display name matching a user in your organization. Please do not click links or open attachments unless you recognize the source of this email and know the content is safe.

You can use plain text or HTML formatting like I did:

When you click save the transport rule is saved, but it can take an hour before it becomes effective. When a new message arrives from someone with a similar display name a warning message is added to the email message.

Hopefully this will alert users that the email is not an internal message but comes from the Internet (but it can still be a valid message of course)

Auto-forward in Office 365

A customer is running Exchange 2010 on-premises and has auto-forwarding of email messages disabled on an organizational level. After building a hybrid environment and migrating some users we found out that users were able to auto-forward email messages to external recipients.

In Office 365 auto-forward is enabled by default on an organizational level, but can be disabled on a tenant level by using Transport Rules. To achieve this, logon to the Exchange Admin Center of Office 365 (https://outlook.office365.com/ecp/) and select Rules in the Mail Flow section.

Continue reading Auto-forward in Office 365