The Sender Policy Framework (SPF) allows one to configure DNS entries to list valid sources of truth for Office 365 email. Attackers will often try to send email from outside a domain to recipients inside the domain by pretending they are another person within the company. Creating an SPF rule that flags messages from outside the company pretending to be inside the company alerts users. This article is a summary of how to create an Office 365 Exhcange Mail Flow rule to warn users of SPF invalid messages.
Configure the SPF DNS Entry
A DNS entry is required to list the valid sources from where email can be sent. Below is an example SPF record for an Office 365 account.
v=spf1 include:spf.protection.outlook.com -all
Configure the Exchange Admin Center Mail Flow Rules
Navigate to the Exchange Admin Center. Select Rules, + Add a rule
The new rule should have the following key entries:
- Apply this rule if the message headers 'Authentication-Results' includes 'spf-permerror' or 'Received-SPF:Fail' or 'spf-fail' or 'SPF:Fail'
- The sender domain is
- Prepend the subject with [SPF-FAIL]
- Apply a disclaimer to the message and prepend the appropriate prepend warning text.
- Generate and incident and send it to the domain administrators.
Sample prepend warning text.
<span style="color:red"><p><b> [SPF-FAIL] WARNING, This messages does not appear to be a valid domain.com mail message. USE EXTREME CAUTION in opening any attachment. </p></b></span>
Below are the images used in Office 365 to configure a new rule.
Enable the rule.