With a new year started, an improper understanding of spam filtering seems to be starting as well. Over the last few weeks, I have received numerous tickets from clients regarding spoofed mail not being quarantined by Office 365. Now this could occur for numerous reasons – like not properly setting up your domain’s SPF record. But the root cause I have seen most commonly, is that the client is whitelisting their own domain.

Now there are two ways I have seen clients go about this. The first is through setup of a transport rule, stating that anything coming from their domain should have an SCL (Spam Confidence Level) of “-1” which means it automatically bypasses the spam filter. The second option is to go into the Spam Filter in the Exchange Admin Center and set their domain in the “Allowed Domain” list. There could be a few reasons why an individual would do this. The most common I have seen is they have an external service that sends out emails from their domain.

Why is it such a problem to whitelist your own domain?

Well the answer is security. By allowing all mail from your domain to bypass your spam filter, you cannot stop other individuals from spoofing your domain. You are essentially bypassing the SPF record whose job it is to validate that your domain is coming from the desired source. You are leaving your employees vulnerable to an attack that could have a devastating impact to your organization.

The question you should be asking is “What is the proper way to secure my tenant from spoofing?” The answer is setting up SPF, DKIM and DMARC DNS records in your respective registrar. Below are the Microsoft articles I provide all my clients who run into spoofing issues.


With SPF especially, if you have an external emailing source, or third-party company sending out emails as your domain, you will have to ensure that the source is added to your SPF record. That will validate that the sender is accepted, and mail will be delivered with no issue. If the mail comes from an unverified source, the mail will receive a flag of “SPF Failed” and the mail will not be delivered. The DKIM record is used to add a private key to the mail being sent by your domain, so if mail is delivered by your domain, and it does not have the DKIM private key, we know that the mail is not legitimate. Finally, the DMARC tells the mail system what to do with the email if DKIM were to fail (ex. Quarantine).

If your organization is currently setup to whitelist your domain, or if you do not know what your current setup is, I recommend logging into your Exchange Admin Center to do a discovery. If you are unsure of how to perform a valid discovery and perform remediation on your tenant, please contact Champion/MessageOps so we can help diagnose your current setup, and provide the correct solutions to secure your tenant and users.

Was this article helpful?