Spoofing Exception

Ron-6928 31 Reputation points
2023-11-27T20:02:37.54+00:00

I'm an Exchange Online admin. I got all SPF, DMARC, DKIM configured correctly for the company domain (call it: my-domain dot com).

Some of our employees use third party file sharing service to send documents to the client. The service sends out a notification email to the client as well as the user (user @ my-domain dot com). It keeps getting quarantined because the email comes from us to us.

From: user @ my-domain dot com

To: user @ my-domain dot com

Our DMARC rule is set p=quarantine. All email that come from file sharing service mail server are caught as phishing email and quarantined. I have to manually release them.

How do I make an exception to this?

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,171 questions
{count} votes

Accepted answer
  1. Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator
    2023-11-28T17:22:22.5+00:00

    Yea, you can add:

    user @ my-domain dot com,148.163.128.0/19

    to cover all the possibilities or

    user @ my-domain dot com,sendingdomain.com

    if sendingdomain.com covers all the sending IP addresses.

    You can look at their SPF record to determine that.

    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator
    2023-11-27T20:34:30.3266667+00:00
    0 comments No comments

  2. Ron-6928 31 Reputation points
    2023-11-28T17:14:44.5233333+00:00

    I'm manually adding an entry in the Tenant Allow/Block Lists.

    Capture

    In the domain pairs, would this be correct? user @ my-domain dot com, a.b.c.d

    Where a.b.c.d is the file sharing SMTP server that sends us notification email.

    So far I've only found 2 IP addresses: 148.163.152.22 and 148.163.148.40. This means I will have to find all SMTP server IP addresses or add an entire (/19) subnet to add spoofing exception?

    NetRange: 148.163.128.0 - 148.163.159.255

    CIDR: 148.163.128.0/19

    0 comments No comments

  3. Ron-6928 31 Reputation points
    2023-11-28T18:14:59.17+00:00

    I didn't think of using their domain (SPF record). I looked it up and sure enough their SPF does contain the 2 IPs I mentioned earlier. I'm not comfortable whitelisting the entire huge subnet. I'll use their domain name instead. I'll just have to wait until my users sends files to our clients to make sure they don't get quarantined.

    Thanks much for your help.

    0 comments No comments

  4. Ron-6928 31 Reputation points
    2023-12-05T15:34:21.4833333+00:00

    Update

    I added the following pairs (Allow):

    internal email address, sender's domain

    Email is still getting caught and quarantined. I don't think it works.

    I looked up sender's domain MX record. It points to the 2 IPs I mentioned the other day (148.163.152.22 and 148.163.148.40).

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.