Transport Rules versus Safe Sender Lists in Office 365/EOP: ¿Quien es mas Macho?

One of the great powers of being the messaging guy or girl is the ability to create transport rules in response to business requirements. Seemingly subtle differences in the rule’s logic, however, can make a huge difference.

For example: You craft a rule to block spoofed messages from the internet that appear to come from your SMTP domain. Like all good internet citizens, you have enabled DMARC, so you construct a rule like this:

Capture2

 

So, what happens to the message when the rule is applied? Since you are setting the SCL to 9, it will end up in the quarantine by default . Or will it?

Consider this: Since you are marking the message as SPAM, you are also giving the end-user the ability to bypass that rule by whitelisting the sender.

Because EOP honors both the RFC 5321 MAIL FROM: and the RFC5322 FROM:, if the MAIL FROM: just happens to be on an user’s safelist – added through Outlook or OWA – the message will be allowed,  even if the FROM: is a spoofed domain.

If you don’t like the prospect of messages potentially slipping through without hitting the quarantine first, force it instead:

Capture5

Problem Solved!

Well, maybe. Since you are pushing the message to the quarantine by rule, the end-users will not see the messages in their personal quarantines and will not be able to release the message without administrator intervention as documented here:

https://blogs.technet.microsoft.com/eopfieldnotes/2014/08/28/behavior-change-when-setting-the-scl-with-a-transport-rule/

But maybe that is what you want.

Regardless, you can craft the rule to meet your needs. And options are always good.

 

 

 

 

 

Recommended Reading

Discuss