By default, SPF-failed emails will still get delivered in Microsoft 365. To its credit, they do most likely end up in the Junks folder. I understand the reason behind it because even in 2023, there are still many mail servers that aren’t configured correctly. But the fact that an SPF-failed email passes through still bothers me.
To stop it, you will need to add a Transport Rule that catches them via a matching message header. However, since SPF is only one of the authentication methods for email security. There are also DKIM and DMARC to consider as well.
Exchange Online runs authentication tests and puts the results in a header called “Authentication-Results“, in the form of something like this:
Authentication-Results: spf=pass; dkim=pass; dmarc=pass; compauth=pass
The field compauth is a very interesting one. According to Anti-spam message headers in Microsoft 365, it’s used by Microsoft 365 to combine multiple types of authentication or any other part of the message to determine whether or not the message is authenticated.
It would be perfect for my case. If any message’s Authentication-Results header contains compauth=fail, I am happy to drop it. However, the Transport Rule doesn’t take that part and for whatever reason, it just wouldn’t match. What a bummer.
So, naturally, my next bet would be to use DMARC. Here is how it goes.
Head over to the Exchange Admin dashboard, go to Mail flow > Rules, and click Add a rule.
Give a name, and add a condition that
If the message header Authentication-Results includes dmarc=faile
Do the following actions, such as redirect to quarantine, or reject it back to the sender with or without an explanation.
Since we are using DMARC, I believe we should respect its action setting too. So an exception might be necessary.
Except if the message header Authentication-Results includes 'dmarc=fail action=none'
To wrap it up, a rule like this should get the job done.