Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction
In this post we'll look at a hot topic which is how do you block email sent from your own
domain but not by your email server - i.e. email from someone spoofing your email
domain. This will work for Exchange 2010, 2013 and 2016.
Well also block spoofed email for other domains.
In the above screenshot, there are no anti-spam transport agents listed because theyre
not installed. We should expect to see new transport agents such as Sender Filter
Agent and Sender Id Agent.
To go ahead and install the Anti-Spam agents, run the command below on your mailbox
server in Exchange 2013 or 2016 or your hub transport server in Exchange 2010:
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
Some domains have not got their SPF records configured correctly and are
recommending an SPF hard fail but are actually sending some email from IPs not
included on the SPF record. To do get around this, you can set these domains to
bypass the SenderID checks:
Set-SenderIdConfig -BypassedSenderDomains contoso.com,tailspintoys.com
For more information about how to send email using PowerShell, see here. The error
we get is:
The server response was: 5.7.1 Sender ID (PRA) Not Permitted
.and the email was rejected! Great! Now spoofed email from your domain is
blocked and spoofed email from other domains is blocked if they have an SPF record
configured with a hard fail.
Conclusion
In this post, Ive demonstrated how to configure Exchange 2010, 2013 or 2016 to reject
spoofed email for your domain and other domains. This is done by blocking SPF
HardFails.
In part 2, I'll demonstrate how to block emails that are from domains that are not
configured with an SPF HardFail but as SoftFail instead.
Posted by Mark Gossa at 01:00
Introduction
In part 1, I demonstrated how to set up Exchange to block spoofed email where the
sending domain has a valid SPF record using the -all mechanism (HardFail).
So, what happens when you want to block or identify SoftFails also? Ill show you how
to do this in these instructions.
First, make sure that you have gone through at least these steps from part 1 before
continuing:
Create an SPF record for your domain configured with a hard fail
Now that you've done that, we can continue. Well break these instructions down into
three steps:
How to block or mark an SPF soft fail email in Exchange 2013 or 2016
permitted sender)
As you can see from the message headers, this is a SoftFail. The reason we can't use
the Exchange SenderID Transport Agent to block this as we did in part 1 is because it
doesn't have an option to reject an SPF SoftFail like it can do for a HardFail.
So, we cant use the SenderID agent but we can create an Exchange Transport Rule to
review the message headers for us and look for SoftFail in the Received-SPF header.
Ill demonstrate how to create this rule in Exchange 2010 - 2016 below.
Give your new transport rule a name such as "SPF SoftFail" and click Next:
On the next screen, select when the message header contains specific words:
Click on message header in the bottom pane, enter Received-SPF and click OK:
Now, click on specific words in the bottom pane, enter SoftFail, click Add then click
OK:
Also tick the option from users that are inside or outside the organization and select
Outside the organization. You should now see that this transport rule applies to
messages when the Received-SPF header contains SoftFail and the message is from a
sender outside the organization to prevent actions being taken for internal email relayed
from servers that dont have an IP included on the SPF record for your domain:
Go ahead and click Next. Youre now prompted with a list of actions to choose to apply
to the email. You can apply any action you like such as:
prepend message subject with string (to notify the recipient that this email could
be potentially harmful)
send rejection message to sender with enhanced status code (reject the
message with custom error)
I'll demonstrate how to prepend a string to the subject line and also how to reject the
email.
To prepend the message subject with the string POTENTIAL SPAM (SPF SoftFail) to
notify users that they should be vigilant when opening this email, tick "prepend message
subject with string" and enter your custom string in the bottom pane as below:
If you want to block the email the instead of prepend a string to the subject line then in
the actions window, instead of selecting prepend message subject with, select send
rejection message to sender with enhanced status code:
Create a rejection message such as SPF SoftFail and select an enhanced status code
such as "5.7.1":
Click on the + icon then click on Create a new rule and provide a name for your new
rule such as SPF SoftFail:
Then click on Enter text patterns and enter SoftFail then the + icon then click OK:
We need to ensure that this rule only applies to external senders so we need to add a
conditiona that the senders are outside the organization. This prevents problems with
printers or other servers that are relaying through Exchange without having their IPs on
the SPF record (if youre using an SPF SoftFail on your record). To do this, click on add
condition and select The senderis external/internal:
We can now select an action for the message. As with the Exchange 2010 instructions,
Ill demonstrate how to prepend a string to the message subject and also how to reject
the email:
To prepend a string to the message subject, select prepend the subject of the message
with.. (funnily enough!) and enter the text you want to add to the beginning of the
subject line such as POTENTIAL SPAM (SPF SoftFail) then click OK then Save:
If you want to rather reject this email then instead of selecting the action prepend the
subject of the message with, select Block the messagereject the message with
the explanation and enter an explanation such as SPF SoftFail:
Conclusion
In part 2, Ive demonstrated how to block or notify the end user of emails that fail the
SPF checks but cause a SoftFail rather than a HardFail.
In an upcoming post, Ill show you how to only accept emails from particular domains if
they pass the SPF check.
Introduction
In this post, Ill show you how to partially enable SPF checks by requiring that the
SenderID/SPF check is a pass for incoming email from a specified list of domains in
Exchange 2013 and Exchange 2016. This is particularly useful if you receive legitimate
email from financial institutes or other organizations which may request sensitive
information and where these domains are often spoofed but you don't yet want to reject
all email that fails the SPF check.
SPF is not a new way of detecting spoofed email but SenderID/SPF checks on
incoming mail has not yet been enabled by many of the mail servers across the internet.
This may be due to a lack of understanding or confidence in the system. If this includes
you then have a read of these posts to get a better understanding:
Ensure that you have completed these steps from How to prevent spoofed email part 1
before continuing:
Next, click on the + icon, select create a new rule and provide a name for your new rule
like Require SPF Pass:
Once done, click on More options to make the additional conditions and options
visible. We will apply the rule if the senders domain is contoso.com or tailspintoys.com.
Click on the Apply this rule if drop down and select the senderss domain is then
add your domains in the list:
Click OK. In this next part well configure an action for email that is not an SPF pass.
You can select one of many actions:
Prepend the subject of the message with a string (to notify the user that this
email is not from a trusted source)
In this example, well block the message without sending an NDR to the sender. If you
go with this approach, ensure that this sender is always sending email from IPs on their
SPF record otherwise you will start to reject legitimate email. If they are not then its
best to go with one of the less drastic approaches above.
Under the do the following heading, select Block the messagedelete the message
without notifying anyone as below:
Now this blocks all messages from tailspintoys.com and contoso.com originating from
outside the organization. We now want to make an exception so that we allow only
those emails that have a Pass in the Received-SPF header field. To do this, click on
add exception then select A message headermatches these text patterns
Click on Enter text and enter Received-SPF to provide the header name:
Click OK then click on Enter text patterns. Set the text pattern to Pass (yes, there
is a space after the word Pass) then click the + icon:
Conclusion
In this post, Ive demonstrated how to set up a new transport rule in Exchange to ensure
email from particular domains are only delivered if they pass the SPF checks.
Introduction
In this post, Ill show you how to partially enable SPF checks by requiring that the
SenderID/SPF check is a pass for incoming email from a specified list of domains in
Exchange 2013 and Exchange 2016. This is particularly useful if you receive legitimate
email from financial institutes or other organizations which may request sensitive
information and where these domains are often spoofed but you don't yet want to reject
all email that fails the SPF check.
SPF is not a new way of detecting spoofed email but SenderID/SPF checks on
incoming mail has not yet been enabled by many of the mail servers across the internet.
This may be due to a lack of understanding or confidence in the system. If this includes
you then have a read of these posts to get a better understanding:
Ensure that you have completed these steps from How to prevent spoofed email part 1
before continuing:
Next, click on the + icon, select create a new rule and provide a name for your new rule
like Require SPF Pass:
Once done, click on More options to make the additional conditions and options
visible. We will apply the rule if the senders domain is contoso.com or tailspintoys.com.
Click on the Apply this rule if drop down and select the senderss domain is then
add your domains in the list:
Click OK. In this next part well configure an action for email that is not an SPF pass.
You can select one of many actions:
Prepend the subject of the message with a string (to notify the user that this
email is not from a trusted source)
In this example, well block the message without sending an NDR to the sender. If you
go with this approach, ensure that this sender is always sending email from IPs on their
SPF record otherwise you will start to reject legitimate email. If they are not then its
best to go with one of the less drastic approaches above.
Under the do the following heading, select Block the messagedelete the message
without notifying anyone as below:
Now this blocks all messages from tailspintoys.com and contoso.com originating from
outside the organization. We now want to make an exception so that we allow only
those emails that have a Pass in the Received-SPF header field. To do this, click on
add exception then select A message headermatches these text patterns
Click on Enter text and enter Received-SPF to provide the header name:
Click OK then click on Enter text patterns. Set the text pattern to Pass (yes, there
is a space after the word Pass) then click the + icon:
Conclusion
In this post, Ive demonstrated how to set up a new transport rule in Exchange to ensure
email from particular domains are only delivered if they pass the SPF checks.