Block spoofed email - Part 1 | Exchange 2010 - 2016

Introduction
In this post we'll look at a hot topic which is how do you block email sent from your own
domain but not by your email server - i.e. email from someone spoofing your email
domain. This will work for Exchange 2010, 2013 and 2016.
Well also block spoofed email for other domains.

How to block spoofed email from your domain

Well go through these steps:

Create an SPF record for your domain configured with a HardFail

Configure the InternalSMTPServers property on your transport servers

Install the Anti-Spam agents on Exchange

Configure SenderID filtering to reject emails that fail SPF checks

Test SenderID Agent

Create an SPF record for your domain configured with a HardFail

An SPF record is a TXT record in DNS that begins with v=spf1. It includes a list of IPs
that sending domain owner has specified as permitted to send email for that domain
and it also informs the recipient mail server what to do if an email is received from an IP
that is not on the permitted senders list.
Create an SPF record for your domain by following the instructions here. Make sure set
your SPF record to prohibit all sending IPs that are not specified by using the -all
mechanism at the end of the SPF record.
Your SPF record should look something like this:

v=spf1 ip4:95.59.2.21 ip4:95.59.2.22 ip4:195.168.1.0/28 mx -all

This simple SPF record states that the MX records and the additional IPs that are listed
are allowed to send email for your domain.
Note the -all mechanism at the end of the record. This is important as you will see later
when we come to configuring the SenderID Agent on Exchange.
If you are using split DNS then you need to ensure that you configure your SPF record
on both your external DNS forward lookup zone and your internal DNS forward lookup
zone.

Configure the InternalSMTPServers property on your transport servers

For SenderID filtering, Exchange looks at the client IP for email when working out
whether the sending IP is permitted or not. In order for Exchange to differentiate
between the IPs of other Exchange servers (or email gateways/smart hosts) and the
actual client IP, you need to let Exchange know which IPs to ignore.
For example, if your have two Exchange servers with IPs 10.2.0.21 and 10.2.0.22 and
an email gateway on 10.3.0.10 then set your transport configuration using this
command on each Exchange server:
Set-TransportConfig -InternalSMTPServers 10.2.0.21,10.2.0.22,10.3.0.10

Install the Anti-Spam agents on Exchange

Our next step is to install the Anti-Spam agents on Exchange if you have not already
installed them. If you run list transport agents, you will see which are installed:
Get-TransportAgent

In the above screenshot, there are no anti-spam transport agents listed because theyre
not installed. We should expect to see new transport agents such as Sender Filter
Agent and Sender Id Agent.
To go ahead and install the Anti-Spam agents, run the command below on your mailbox
server in Exchange 2013 or 2016 or your hub transport server in Exchange 2010:
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

Then restart the Microsoft Exchange Transport Service:

Restart-Service MSExchangeTransport

Now we can confirm that we have additional Transport Agents:

Get-TransportAgent

Configure SenderID filtering to reject emails that fail SPF checks

Our next and final step is to configure Exchange to reject email that fails the SenderID
check (SPF) by using the SenderID Transport Agent which weve just installed. Emails
that are SPF HardFails fail this SPF check.
When installed, the SenderID agent is enabled but set to only stamp the status of the
SPF record check in the message headers which means it doesn't reject any email. Its
also only enabled for external email by default.
For our purposes, we will configure it to reject spoofed domains. This will not only reject
spoofed email for our email domain but it will also reject spoofed email for any other
domain that has a valid SPF record configured with a HardFail. This is why the hard fail
is important as Exchange and many other mail systems will generally not block a soft
fail (but see part 2 how to do this in Exchange).
Lets go ahead and configure the SenderID agent to block spoofed emails:
Set-SenderIdConfig -SpoofedDomainAction Reject

Some domains have not got their SPF records configured correctly and are
recommending an SPF hard fail but are actually sending some email from IPs not
included on the SPF record. To do get around this, you can set these domains to
bypass the SenderID checks:
Set-SenderIdConfig -BypassedSenderDomains contoso.com,tailspintoys.com

Test SenderID Agent

Now, we can demonstrate that this is blocking spoofed email for our domain. First, lets
test using the Send-MailMessage cmdlet in PowerShell running from a computer on the
internet which has an IP which is not listed on the SPF record:
Send-MailMessage -To administrator@litwareinc.com -From

administrator@litwareinc.com -Subject "Testing email server SenderID Filter"

-SmtpServer mx1.litwareinc.com

For more information about how to send email using PowerShell, see here. The error
we get is:
The server response was: 5.7.1 Sender ID (PRA) Not Permitted
.and the email was rejected! Great! Now spoofed email from your domain is
blocked and spoofed email from other domains is blocked if they have an SPF record
configured with a hard fail.

Conclusion
In this post, Ive demonstrated how to configure Exchange 2010, 2013 or 2016 to reject
spoofed email for your domain and other domains. This is done by blocking SPF
HardFails.
In part 2, I'll demonstrate how to block emails that are from domains that are not
configured with an SPF HardFail but as SoftFail instead.
Posted by Mark Gossa at 01:00

Block spoofed email - Part 2 | Exchange 2010 - 2016

Introduction
In part 1, I demonstrated how to set up Exchange to block spoofed email where the
sending domain has a valid SPF record using the -all mechanism (HardFail).
So, what happens when you want to block or identify SoftFails also? Ill show you how
to do this in these instructions.
First, make sure that you have gone through at least these steps from part 1 before
continuing:

Create an SPF record for your domain configured with a hard fail

Configure the InternalSMTPServers property on your transport servers

Install the Anti-Spam agents on Exchange

Now that you've done that, we can continue. Well break these instructions down into
three steps:

SPF results in message headers (how to identify SPF SoftFails)

How to block or mark an SPF soft fail email in Exchange 2010

How to block or mark an SPF soft fail email in Exchange 2013 or 2016

SPF results in message headers (how to identify SPF

SoftFails)
Heres an example of a junk email that made it through the SenderID check that we
configured in part 1 because it was not actually an SPF HardFail:
Received: from direct-soho-210-158-67.cbn.net.id (210.210.158.67) by
svr01.domain.co.uk (192.168.0.8) with Microsoft SMTP Server id 14.3.224.2;
Wed, 13 Jan 2016 11:36:02 +0000
From: Avril Sparrowhawk <Avril.Sparrowhawk@lescaves.co.uk>
To: "mark@domain.co.uk" <mark@domain.co.uk>
Subject: CWIH8974 PAYMENT RECEIVED
Date: Wed, 13 Jan 2016 18:36:18 +0700
Message-ID: <57B2F503302A134BB06611F503C0E502143C82B4@domain.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.0.0.89]
Content-Type: multipart/mixed;
boundary="_006_57B2F503302A134BB06611F503C0E502143C82B4LCDPMAIL2lescav_"
X-Original-To: accounts@trinityrestaurant.co.uk
X-Virus-Scanned: ClamAV using ClamSMTP
Return-Path: Avril.Sparrowhawk@lescaves.co.uk
MIME-Version: 1.0
X-MS-Exchange-Organization-AuthSource: svr01.domain.co.uk
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: lescaves.co.uk
X-MS-Exchange-Organization-SenderIdResult: SoftFail
Received-SPF: SoftFail (svr01.domain.co.uk: domain of transitioning
Avril.Sparrowhawk@lescaves.co.uk discourages use of 210.210.158.67 as

permitted sender)

As you can see from the message headers, this is a SoftFail. The reason we can't use
the Exchange SenderID Transport Agent to block this as we did in part 1 is because it
doesn't have an option to reject an SPF SoftFail like it can do for a HardFail.
So, we cant use the SenderID agent but we can create an Exchange Transport Rule to
review the message headers for us and look for SoftFail in the Received-SPF header.
Ill demonstrate how to create this rule in Exchange 2010 - 2016 below.

How to block or mark an SPF SoftFail email in

Exchange 2010:
Open up the Exchange Management Console using an account that is a member of the
Organization Management group and expand down to Organization Configuration >
Hub Transport:

In the right hand pane, click on "New Transport Rule":

Give your new transport rule a name such as "SPF SoftFail" and click Next:

On the next screen, select when the message header contains specific words:

Click on message header in the bottom pane, enter Received-SPF and click OK:

Now, click on specific words in the bottom pane, enter SoftFail, click Add then click
OK:

Also tick the option from users that are inside or outside the organization and select
Outside the organization. You should now see that this transport rule applies to
messages when the Received-SPF header contains SoftFail and the message is from a
sender outside the organization to prevent actions being taken for internal email relayed
from servers that dont have an IP included on the SPF record for your domain:

Go ahead and click Next. Youre now prompted with a list of actions to choose to apply
to the email. You can apply any action you like such as:

prepend message subject with string (to notify the recipient that this email could
be potentially harmful)

forward the message to addresses for moderation (e.g. to forward to an

Administrator to check the domain is valid and configure an exception for the
domain if needed then approve the email for delivery to the end user)

redirect the message to addresses (e.g. forward to a spam mailbox)

send rejection message to sender with enhanced status code (reject the
message with custom error)

I'll demonstrate how to prepend a string to the subject line and also how to reject the
email.
To prepend the message subject with the string POTENTIAL SPAM (SPF SoftFail) to
notify users that they should be vigilant when opening this email, tick "prepend message
subject with string" and enter your custom string in the bottom pane as below:

If you want to block the email the instead of prepend a string to the subject line then in
the actions window, instead of selecting prepend message subject with, select send
rejection message to sender with enhanced status code:

Create a rejection message such as SPF SoftFail and select an enhanced status code
such as "5.7.1":

Once done, complete the wizard, selecting the defaults.

If youve chosen to prepend a string to the subject line then SPF SoftFail emails will be
marked like this email:

How to block or mark an SPF SoftFail email in

Exchange 2013 or 2016:
Log into the Exchange Admin Center using an admin account that is a member of the
Organization Management group then click on mail flow then rules:

Click on the + icon then click on Create a new rule and provide a name for your new
rule such as SPF SoftFail:

Click on more options to make the message header options visible

Once done, click on the Apply this rule if. drop down, select A message header
then select matches these text patterns as below:

Click on Enter text and enter Received-SPF then click OK:

Then click on Enter text patterns and enter SoftFail then the + icon then click OK:

We need to ensure that this rule only applies to external senders so we need to add a
conditiona that the senders are outside the organization. This prevents problems with
printers or other servers that are relaying through Exchange without having their IPs on
the SPF record (if youre using an SPF SoftFail on your record). To do this, click on add
condition and select The senderis external/internal:

Select Outside the organization then click OK:

We can now select an action for the message. As with the Exchange 2010 instructions,
Ill demonstrate how to prepend a string to the message subject and also how to reject
the email:
To prepend a string to the message subject, select prepend the subject of the message
with.. (funnily enough!) and enter the text you want to add to the beginning of the
subject line such as POTENTIAL SPAM (SPF SoftFail) then click OK then Save:

If you want to rather reject this email then instead of selecting the action prepend the
subject of the message with, select Block the messagereject the message with
the explanation and enter an explanation such as SPF SoftFail:

Once done, click Save. Your rule is now enabled.

Conclusion
In part 2, Ive demonstrated how to block or notify the end user of emails that fail the
SPF checks but cause a SoftFail rather than a HardFail.
In an upcoming post, Ill show you how to only accept emails from particular domains if
they pass the SPF check.

Require SPF Pass for selected senders | Exchange 2013 - 2016

Introduction
In this post, Ill show you how to partially enable SPF checks by requiring that the
SenderID/SPF check is a pass for incoming email from a specified list of domains in
Exchange 2013 and Exchange 2016. This is particularly useful if you receive legitimate

email from financial institutes or other organizations which may request sensitive
information and where these domains are often spoofed but you don't yet want to reject
all email that fails the SPF check.
SPF is not a new way of detecting spoofed email but SenderID/SPF checks on
incoming mail has not yet been enabled by many of the mail servers across the internet.
This may be due to a lack of understanding or confidence in the system. If this includes
you then have a read of these posts to get a better understanding:

Understanding SPF records

How to prevent spoofed email part 1

How to prevent spoofed email part 2

Ensure that you have completed these steps from How to prevent spoofed email part 1
before continuing:

Configure the InternalSMTPServers property on your transport servers

Install the Anti-Spam agents on Exchange

How to require an SPF pass for email from particular

domains
To do this, we will create a new transport rule to look at the Received-SPF header on
incoming email from outiside the organisation that is from our list of domains for which
we only want to receive email if they pass the SPF check.
The email headers for an email that passes the SPF check looks like this:
Received-SPF: Pass (svr01.domain.co.uk: domain of reply@sender.com designates
108.14.3.148 as permitted sender)
We will configure our rule to look for the text pattern Pass in the Received-SPF
header. Note the additional space on the end to prevent a false positive for any email
addresses that include the string pass.
First, log into the Exchange Admin Center using an account which is a member of the
Organization Management group then click on mail flow in the left pane:

Next, click on the + icon, select create a new rule and provide a name for your new rule
like Require SPF Pass:

Once done, click on More options to make the additional conditions and options
visible. We will apply the rule if the senders domain is contoso.com or tailspintoys.com.
Click on the Apply this rule if drop down and select the senderss domain is then
add your domains in the list:

Click OK when done.

Our next step is to apply these rules to only email from outside the organization. To do
this, click add condition and then select the sender is external/internal Select
Outside the organization:

Click OK. In this next part well configure an action for email that is not an SPF pass.
You can select one of many actions:

Redirect the email to another mailbox (e.g. a spam mailbox)

Forward the message for approval (by an administrator or other)

BCC the message to another address

Prepend the subject of the message with a string (to notify the user that this
email is not from a trusted source)

Block the message (with or without an NDR)

In this example, well block the message without sending an NDR to the sender. If you
go with this approach, ensure that this sender is always sending email from IPs on their
SPF record otherwise you will start to reject legitimate email. If they are not then its
best to go with one of the less drastic approaches above.
Under the do the following heading, select Block the messagedelete the message
without notifying anyone as below:

Now this blocks all messages from tailspintoys.com and contoso.com originating from
outside the organization. We now want to make an exception so that we allow only
those emails that have a Pass in the Received-SPF header field. To do this, click on
add exception then select A message headermatches these text patterns

Click on Enter text and enter Received-SPF to provide the header name:

Click OK then click on Enter text patterns. Set the text pattern to Pass (yes, there
is a space after the word Pass) then click the + icon:

Click OK then click on Save.

Conclusion
In this post, Ive demonstrated how to set up a new transport rule in Exchange to ensure
email from particular domains are only delivered if they pass the SPF checks.

Require SPF Pass for selected senders | Exchange 2013 - 2016

Introduction
In this post, Ill show you how to partially enable SPF checks by requiring that the
SenderID/SPF check is a pass for incoming email from a specified list of domains in
Exchange 2013 and Exchange 2016. This is particularly useful if you receive legitimate
email from financial institutes or other organizations which may request sensitive
information and where these domains are often spoofed but you don't yet want to reject
all email that fails the SPF check.

SPF is not a new way of detecting spoofed email but SenderID/SPF checks on
incoming mail has not yet been enabled by many of the mail servers across the internet.
This may be due to a lack of understanding or confidence in the system. If this includes
you then have a read of these posts to get a better understanding:

Understanding SPF records

How to prevent spoofed email part 1

How to prevent spoofed email part 2

Ensure that you have completed these steps from How to prevent spoofed email part 1
before continuing:

Configure the InternalSMTPServers property on your transport servers

Install the Anti-Spam agents on Exchange

How to require an SPF pass for email from particular

domains
To do this, we will create a new transport rule to look at the Received-SPF header on
incoming email from outiside the organisation that is from our list of domains for which
we only want to receive email if they pass the SPF check.
The email headers for an email that passes the SPF check looks like this:
Received-SPF: Pass (svr01.domain.co.uk: domain of reply@sender.com designates
108.14.3.148 as permitted sender)
We will configure our rule to look for the text pattern Pass in the Received-SPF
header. Note the additional space on the end to prevent a false positive for any email
addresses that include the string pass.
First, log into the Exchange Admin Center using an account which is a member of the
Organization Management group then click on mail flow in the left pane:

Next, click on the + icon, select create a new rule and provide a name for your new rule
like Require SPF Pass:

Once done, click on More options to make the additional conditions and options
visible. We will apply the rule if the senders domain is contoso.com or tailspintoys.com.
Click on the Apply this rule if drop down and select the senderss domain is then
add your domains in the list:

Click OK when done.

Our next step is to apply these rules to only email from outside the organization. To do
this, click add condition and then select the sender is external/internal Select
Outside the organization:

Click OK. In this next part well configure an action for email that is not an SPF pass.
You can select one of many actions:

Redirect the email to another mailbox (e.g. a spam mailbox)

Forward the message for approval (by an administrator or other)

BCC the message to another address

Prepend the subject of the message with a string (to notify the user that this
email is not from a trusted source)

Block the message (with or without an NDR)

In this example, well block the message without sending an NDR to the sender. If you
go with this approach, ensure that this sender is always sending email from IPs on their
SPF record otherwise you will start to reject legitimate email. If they are not then its
best to go with one of the less drastic approaches above.
Under the do the following heading, select Block the messagedelete the message
without notifying anyone as below:

Now this blocks all messages from tailspintoys.com and contoso.com originating from
outside the organization. We now want to make an exception so that we allow only
those emails that have a Pass in the Received-SPF header field. To do this, click on
add exception then select A message headermatches these text patterns

Click on Enter text and enter Received-SPF to provide the header name:

Click OK then click on Enter text patterns. Set the text pattern to Pass (yes, there
is a space after the word Pass) then click the + icon:

Click OK then click on Save.

Conclusion
In this post, Ive demonstrated how to set up a new transport rule in Exchange to ensure
email from particular domains are only delivered if they pass the SPF checks.