Anti-spoofing protection in EOP


Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP includes features to help protect your organization from spoofed (forged) senders.

When it comes to protecting its users, Microsoft takes the threat of phishing seriously. Spoofing is a common technique that's used by attackers. Spoofed messages appear to originate from someone or somewhere other than the actual source. This technique is often used in phishing campaigns that are designed to obtain user credentials. The anti-spoofing technology in EOP specifically examines forgery of the From header in the message body (used to display the message sender in email clients). When EOP has high confidence that the From header is forged, the message is identified as spoofed.

The following anti-spoofing technologies are available in EOP:

  • Email authentication: An integral part of any anti-spoofing effort is the use of email authentication (also known as email validation) by SPF, DKIM, and DMARC records in DNS. You can configure these records for your domains so destination email systems can check the validity of messages that claim to be from senders in your domains. For inbound messages, Microsoft 365 requires email authentication for sender domains. For more information, see Email authentication in Microsoft 365.

    EOP analyzes and blocks messages that can't be authenticated by the combination of standard email authentication methods and sender reputation techniques.

    The EOP anti-spoofing checks

  • Spoof intelligence insight: Review spoofed messages from senders in internal and external domains during the last 7 days, and allow or block those senders. For more information, see Spoof intelligence insight in EOP.

  • Allow or block spoofed senders in the Tenant Allow/Block List: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see Manage the Tenant Allow/Block List in EOP.

  • Anti-phishing policies: In EOP and Microsoft Defender for Office 365, anti-phishing policies contain the following anti-spoofing settings:

    • Turn spoof intelligence on or off.
    • Turn unauthenticated sender indicators in Outlook on or off.
    • Specify the action for blocked spoofed senders.

    For more information, see Spoof settings in anti-phishing policies.

    Note: Anti-phishing policies in Defender for Office 365 contain addition protections, including impersonation protection. For more information, see Exclusive settings in anti-phishing policies in Microsoft Defender for Office 365.

  • Spoof detections report: For more information, see Spoof Detections report.

    Note: Defender for Office 365 organizations can also use Real-time detections (Plan 1) or Threat Explorer (Plan 2) to view information about phishing attempts. For more information, see Microsoft 365 threat investigation and response.

How spoofing is used in phishing attacks

Spoofing messages have the following negative implications for users:

  • Spoofed messages deceive users: A spoofed message might trick the recipient into clicking a link and giving up their credentials, downloading malware, or replying to a message with sensitive content (known as a business email compromise or BEC).

    The following message is an example of phishing that uses the spoofed sender

    Phishing message impersonating

    This message didn't come from, but the attacker spoofed the From header field to make it look like it did. This was an attempt to trick the recipient into clicking the change your password link and giving up their credentials.

    The following message is an example of BEC that uses the spoofed email domain

    Phishing message - business email compromise.

    The message looks legitimate, but the sender is spoofed.

  • Users confuse real messages for fake ones: Even users who know about phishing might have difficulty seeing the differences between real messages and spoofed messages.

    The following message is an example of a real password reset message from the Microsoft Security account:

    Microsoft legitimate password reset.

    The message really did come from Microsoft, but users have been conditioned to be suspicious. Because it's difficult to the difference between a real password reset message and a fake one, users might ignore the message, report it as spam, or unnecessarily report the message to Microsoft as phishing.

Different types of spoofing

Microsoft differentiates between two different types of spoofed messages:

  • Intra-org spoofing: Also known as self-to-self spoofing. For example:

    • The sender and recipient are in the same domain:


    • The sender and the recipient are in subdomains of the same domain:


    • The sender and recipient are in different domains that belong to the same organization (that is, both domains are configured as accepted domains in the same organization):

      From: sender @
      To: recipient @

      Spaces are used in the email addresses to prevent spambot harvesting.

    Messages that fail composite authentication due to intra-org spoofing contain the following header values:

    Authentication-Results: ... compauth=fail reason=6xx

    X-Forefront-Antispam-Report: ...CAT:SPOOF;...SFTY:9.11

    • reason=6xx indicates intra-org spoofing.

    • SFTY is the safety level of the message. 9 indicates phishing, .11 indicates intra-org spoofing.

  • Cross-domain spoofing: The sender and recipient domains are different, and have no relationship to each other (also known as external domains). For example:


    Messages that fail composite authentication due to cross-domain spoofing contain the following headers values:

    Authentication-Results: ... compauth=fail reason=000/001

    X-Forefront-Antispam-Report: ...CAT:SPOOF;...SFTY:9.22

    • reason=000 indicates the message failed explicit email authentication. reason=001 indicates the message failed implicit email authentication.

    • SFTY is the safety level of the message. 9 indicates phishing, .22 indicates cross-domain spoofing.


If you've gotten a message like compauth=fail reason=### and need to know about composite authentication (compauth), and the values related to spoofing, see Anti-spam message headers in Microsoft 365. Or go directly to the reason codes.

For more information about DMARC, see Use DMARC to validate email in Microsoft 365.

Problems with anti-spoofing protection

Mailing lists (also known as discussion lists) are known to have problems with anti-spoofing due to the way they forward and modify messages.

For example, Gabriela Laureano ( is interested in bird watching, joins the mailing list, and sends the following message to the list:

From: "Gabriela Laureano" <>
To: Birdwatcher's Discussion List <>
Subject: Great viewing of blue jays at the top of Mt. Rainier this week

Anyone want to check out the viewing this week from Mt. Rainier?

The mailing list server receives the message, modifies its content, and replays it to the members of list. The replayed message has the same From address (, but a tag is added to the subject line, and a footer is added to the bottom of the message. This type of modification is common in mailing lists, and may result in false positives for spoofing.

From: "Gabriela Laureano" <>
To: Birdwatcher's Discussion List <>
Subject: [BIRDWATCHERS] Great viewing of blue jays at the top of Mt. Rainier this week

Anyone want to check out the viewing this week from Mt. Rainier?

This message was sent to the Birdwatchers Discussion List. You can unsubscribe at any time.

To help mailing list messages pass anti-spoofing checks, do following steps based on whether you control the mailing list:

If all else fails, you can report the message as a false positive to Microsoft. For more information, see Report messages and files to Microsoft.

Considerations for anti-spoofing protection

If you're an admin who currently sends messages to Microsoft 365, you need to ensure that your email is properly authenticated. Otherwise, it might be marked as spam or phishing. For more information, see Solutions for legitimate senders who are sending unauthenticated email.

Senders in an individual user's (or admin's) Safe Senders list will bypass parts of the filtering stack, including spoof protection. For more information, see Outlook Safe Senders.

Admins should avoid (when possible) using allowed sender lists or allowed domain lists. These senders bypass all spam, spoofing, and phishing protection, and also sender authentication (SPF, DKIM, DMARC). For more information, see Use allowed sender lists or allowed domain lists.