Setting Up Domain Spoofing Protection in Microsoft Exchange 2013, Exchange 2016 or Microsoft 365 (formerly Office 365)
The following instructions will show you how to create a rule in Exchange 2013, Exchange 2016, or Microsoft 365 (formerly Office 365) that will prevent your domain from being spoofed from outside your environment.
By following the instructions below, you are adding a rule to automatically delete messages that spoof your domain. This specific step can be modified to suit your organisation's specific requirements (for example, quarantining or forwarding the message). We strongly recommend you test this rule before implementing it.
This rule will accomplish the following;
- Delete any inbound emails that originate from OUTSIDE your organisation which appear as if they are coming from your domain/inside your organisation. (domain spoofing)
- Allow emails from Phishing Tackle's servers to bypass this rule (so phishing tests can be conducted that look like they are coming from internal email accounts).
Note: This rule will only protect your users from outsiders who are trying to spoof your domain. It will not affect an external email from being sent using your domain to another email address by a third-party (not to your organisation). That is typically handled with SPF record management which is not covered in this article.
First, log into your Exchange or Microsoft 365 (formerly Office 365) portal and go into the Admin>Exchange in your Admin Centers area. Note: the screenshots below are from an Microsoft 365 (formerly Office 365) environment.
- Select rules under the mail flow section.
- Click the + sign.
- Select Create a new rule....
- Give the rule a meaningful name, such as Domain Spoofing Prevention and then click more options (which is found towards the bottom of the window).
- Choose Apply this rule if… and select "is internal/external". Then select the location of Outside the organization.
- Add a condition and then choose The sender's domain is... and input your organisation’s email domain(s).
- Now you need to choose an action. In this case, we chose to delete the message, however if you wish you can choose other options based on your security policies. To automatically delete the messages which spoof your domain, choose Block the message and then delete the message without notifying anyone.
- Add an exception for Phishing Tackle's (or any other external organisation who may need to send an email as if it is coming from your domain to your users, e.g. ActiveCampaign, SalesForce or Hubspot) Choose IP address is in any of these ranges or exactly matches and fill in the IP addresses of the external organisation’s mail server.
For the most up-to-date list of our IP addresses, please see this article. For more allowlisting information click here.
Lastly, choose to Match sender address in message and select Header or envelope.
- When you have completed all the above information, click Save.