This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 0%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
we have two exchange servers. first is the mailbox server and the second is the Edge server.
we configured and set up SPF,DMARK, and sender ID on the Edge Server. but when I test my domain with send-MailMessage command as an example send a spoof email from the Gmail.com domain received the email without action(reject or delete). I checked SPF and DMARK settings with mxtoolbox and sure they are correct. now my problem is how I can force exchange to check sender email SPF records to prevent receive a spoofed email?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @Amir ,
If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thanks for your understanding.
My information may be out-of-date, but might perhaps give you some input. I left the on-premises Exchange world several yeas ago, except for configuring hybrid Exchange environments. At that time you needed 3rd party modules on the Edge servers to handle DKIM and DMARC for outbound mail. There were no modules for verifying incoming mail with either DKIM or DMARC (DKIM is by the way a DMARC requirement).
So out-of-the-box you should have no better spoofing protection.
As to check for SPF, you must enable and configure Sender ID within Exchange 2013 or 2016. Do the following:
$env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
Set-SenderIDConfig -SpoofedDomainAction Reject
Restart-Service –name MSExchangeTransport
For more information, see https://knowledge.broadcom.com/external/article/178825/how-to-enable-sender-id-filtering-for-ex.html
For extremely useful articles on SPF, DKIM and DMAC with on-premises Exchange, see SENDERID, SPF, DKIM AND DMARC IN EXCHANGE 2016 – PART III. There are links back to the two earlier blogs. Jaap Wesselius is one of the word's leading Exchange experts (I have learned a lot from him through all those years).
https://jaapwesselius.com/2016/08/23/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-iii/
If I may come with a personal recommendation: Use Exchange Online Protection (EOP) as your SMTP gateway, preferably add Office 365 Advanced Threat Protection (ATP). There you have it all. Easy to set up SPF, DKIM and DMARC. Protection against dangerous links and attachments, spoofing, impersonation, zero-day threats. All the security based on AI and machine learning.
The easiest way would likely be to set up connectors between Edge and EOP. This works either your Edge server is set up with a subscription or not. One benefit of subscribing is that you can configure a hybrid Exchange environment from your Edge server.
Thank you for your response. but I need a solution without buying and install other software. in fact, I want a solution in order to configure the EXchange Edge Server Correctly.
Hi Amir,
Based on my knowledge, all the incoming mails will be checked by SPF records. It is a by design behavior.
If you have verified that your SPF format is correct, please make sure that the enforcement rules in SPF are set to "-" hard fail, the receiving server's configured spam policy for this type of message.. If it is "~" soft fail or "?" neutral, you may receive mail even after SPF check fails.
The "P" in the DMARC format represents the policy of the organization domain. Please set this attribute to "p=reject". This will reject all emails that cannot pass DMARC detection.
For more information you could refer to: How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing, Use DMARC to validate email and DKIM/SPF/DMARC Verification and Authentication in Exchange Server.
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
I checked again SPF and DMARK records as below as :
v=spf1 mx ip4:x.x.x.x ip4:x.x.x.x -all
v=DMARC1; p=reject; rua=mailtoXXXX; ruf=mailto:XXXX; fo=1
I was wrong assuming that you had to turn on anti-spam agents on the Edge Server. Don't know if you still need to configure the agent.
However, your reference to DKIM and DMARC Verification is to a third-party product which needs to be bought and installed. As far as I can see, Exchange Server stil has no native DKIM/DMARC support.
Please correct me if I'm wrong.
Hi Amir,
Have you tried using other senders who are not allowed to send you emails? Is SPF still invalid?
According to the message header information you provided, you could analyze the email header through ExRCA, put your complete header information into the Message Header Analyzer for analysis, and view SCL and X-Originating-IP. When SCL=-1, the message will bypassed antispam scanning, check whether the X-Originating-IP of the mail is within the range allowed by your SPF.
About ExRCA: Microsoft Remote Connectivity Analyzer
How did you test this? It doesn't sound like a valid way to do this.
Post the headers of that test message you sent ( the complete headers with any personal information removed)
I did the test with MXToolbox site and the result is :
v=DMARC1; p=reject; rua:XXXXXr; ruf=mailto:XXXX; fo=1
v=spf1 mx ip4:xxxx ip4:xxxx -all
Those arent the complete headers of the message though.
Can you post those? Send the test message to yourself and then copy and paste from the message headers to here.
Received: from S-Mailbox-D01.mydomain.com (1.1.1.1) by
S-Mailbox-D01.mydomain.com (1.1.1.1) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.595.3
via Mailbox Transport; Tue, 18 Aug 2020 08:28:43 +0430
Received: from S-Mailbox-D01.mydomain.com (1.1.1.1) by
S-Mailbox-D01.mydomain.com (1.1.1.1) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.595.3;
Tue, 18 Aug 2020 08:28:40 +0430
Received: from S-EXedge-A02.mydomain.com (2.2.2.2) by
S-Mailbox-D01.mydomain.com (1.1.1.1) with Microsoft SMTP Server id
15.2.595.3 via Frontend Transport; Tue, 18 Aug 2020 08:28:40 +0430
Received: from Covid-19 (167.114.117.203) by S-EXedge-mydomain.com (2.2.2.2)with Microsoft SMTP Server id 15.2.464.5; Tue, 18 Aug 2020
08:27:43 +0430
MIME-Version: 1.0
From: <asda@Stuff .com>
To: <fff@mydomain.com>
Date: Mon, 17 Aug 2020 20:57:42 -0700
Subject: Mail sent by x.x.x.x: successful
I found the problem. SPF and DMARK were ok and senderID was enabled. but when were testing with -sendmessage command from Gmail source we received the spoofed email. so checked agin senderID and other settings on exchage servers. I saw in content filtering role gmail.com has been bypass. so removed gmail.com from bypass list and test again. the problem was solved.
Thanks all.
Hi @Amir ,
I’m pleased to know that your issue has been resolved.
You could share your solution and click “Accept as answer” to mark them as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thanks for your understanding.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Hi @Amir ,
It’s been a long time since I received your reply. In your free time, you can click "Accept as answer" to mark your solution as an answer, which will help more forum members with similar questions.
----------
If the response is helpful, please click "Accept Answer" and upvote it.