O365 External Sender Disclaimer Message

Brad 21 Reputation points

In the O365 Exchange rules the "External Sender Disclaimer Message" has a section that allows you to enter the "except if" section and enter the senders email address.

I'm concerned that the senders email address could be spoofed.

My question is: What, if anything, is done to verify the senders identity prior to delivery to my organization?
Is the senders domain verified?
Is a reverse MX lookup performed to verify the email came from a authorized system for the sending domain.

Any links provided would be appreciated.
Thank you in advance.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,335 questions
{count} votes

Accepted answer
  1. Andy David - MVP 141.1K Reputation points MVP

    What email address are you entering there?
    If its an external email address, then yes it could be spoofed. You will want to make sure that you have SPF, DKIM and DMARC setup for your 365 tenant


    If you dont want an external email sender to get the disclaimer on their messages, consider creating a new rule with a HIGHER priority then the disclaimer rule instead
    For that rule, allow the messages if they pass DMARC from that sender and stop processing further rules so the disclaimer is not added.


    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Brad 21 Reputation points

    The email address would be the external senders address, which would not use without additional checks, which is why I was looking for suggestions.

    I had not realized that we could use the "Authentication-Results" to verify DMARC, SPF, DKIM or the compauth option (below).

    compauth Composite authentication result. Used by Microsoft 365 to combine multiple types of authentication such as SPF, DKIM, DMARC, or any other part of the message to determine whether or not the message is authenticated. Uses the From: domain as the basis of evaluation.

    Here is another link I found based on your response.

    thanks.. More than answered my question.