I'm sure this type of question has been answered already so I apologize in advance, but I can't seem to find anything. I have spf, dkim, dmarc all setup so I'm not worried about outgoing spam, but I have incoming spam coming through that's clearly spam when looking at the headers. \
Are there good transport rules to block when authentication fails, the smtp.mailfrom and from are different, and the to field is not the recipient? Also the subject and the from is getting encoded. Which might be how it's getting past basic spam filtering.
This seems like it should be easy, but I can't find anything…
From: =?utf-8?Q?=C6=8Aropbox?= <shared@onlineconnect.dpbox.com>
Return Path: mjw@nutra-balance-products.com
Message ID: <1518007996.63064545@webmail.emailsrvr.com>
To: <me@dropbox.com>
Authentication-Results: spf=none (sender IP is 173.203.187.93) smtp.mailfrom=nutra-balance-products.com; mysitehere.com; dkim=none (message not signed) header.d=none;mysitehere.com; dmarc=none action=none header.from=onlineconnect.dpbox.com;
Subject: =?utf-8?Q?New_document_shared_-_=28investment-2018-en.pdf=29?= which decodes to New document shared - (investment-2018-en.pdf)
Best Answer
The mismatch between
Return-Path
(envelope sender) andFrom:
doesn't necessarily indicate spam and shouldn't be used as an explicit rule for blocking any messages.For example we could have a situation where a mailing list forwards message for its subscribers. The mailing list can't change the behavior of SPF for the original sender and it should not modify the
From:
header specifying (RFC 4021, 2.1.2) the author(s) of the message. Therefore, it must change the envelope sender in order to pass the SPF test on the recipient side.On the other hand, Office 365 mail flow rules aren't designed for doing such comparisons; you can for example compare senders with their location (inside / ouside tenant) or bypass filtering for trusted external servers. These are for addressing more specific problems, where heuristics fail.
If you think you only receive legitimate mails from senders that have SPF/DKIM/DMARC set, you could e.g. add a rule that alters Spam Confidence Level (SCL) based on
Authentication-Results
containingspf=none
anddkim=none
. Depending on your situation it may cause false positives.