This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 12%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER6%3C/text%3E%3C/svg%3E)
I'm an Exchange Online admin. I got all SPF, DMARC, DKIM configured correctly for the company domain (call it: my-domain dot com).
Some of our employees use third party file sharing service to send documents to the client. The service sends out a notification email to the client as well as the user (user @ my-domain dot com). It keeps getting quarantined because the email comes from us to us.
From: user @ my-domain dot com
To: user @ my-domain dot com
Our DMARC rule is set p=quarantine. All email that come from file sharing service mail server are caught as phishing email and quarantined. I have to manually release them.
How do I make an exception to this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi @Ron-6928,
Just checking in to see if above information was helpful. Please let us know if you would like further assistance.
If the question has been answered, please accept the helpful reply as the answer to the question to help other community members.
Thanks for your understanding.
Yea, you can add:
user @ my-domain dot com,148.163.128.0/19
to cover all the possibilities or
user @ my-domain dot com,sendingdomain.com
if sendingdomain.com covers all the sending IP addresses.
You can look at their SPF record to determine that.
Create an allow in the tenant allow/block list:
Spoof type would be internal
I'm manually adding an entry in the Tenant Allow/Block Lists.
In the domain pairs, would this be correct? user @ my-domain dot com, a.b.c.d
Where a.b.c.d is the file sharing SMTP server that sends us notification email.
So far I've only found 2 IP addresses: 148.163.152.22 and 148.163.148.40. This means I will have to find all SMTP server IP addresses or add an entire (/19) subnet to add spoofing exception?
NetRange: 148.163.128.0 - 148.163.159.255
CIDR: 148.163.128.0/19
I didn't think of using their domain (SPF record). I looked it up and sure enough their SPF does contain the 2 IPs I mentioned earlier. I'm not comfortable whitelisting the entire huge subnet. I'll use their domain name instead. I'll just have to wait until my users sends files to our clients to make sure they don't get quarantined.
Thanks much for your help.
Update
I added the following pairs (Allow):
internal email address, sender's domain
Email is still getting caught and quarantined. I don't think it works.
I looked up sender's domain MX record. It points to the 2 IPs I mentioned the other day (148.163.152.22 and 148.163.148.40).