Hi folks. So here is the situation.
In our organisation we work with an external supplier. That supplier uses Sengrid to send mass mailers into our organisation.
The Email address these mails come in from is spoofed so that it looks like it comes from our Organisation.
We currently exclude that email address from our SPAM policies so we do not pick it up as spoofed.
Our security team however have decided that we are to find a more secure option.
From Microsoft documentation I can see that they recommend the following to manager safe senders from most secure to least secure.
Mail flow rules
Outlook Safe Senders
IP Allow List (connection filtering)
Allowed sender lists or allowed domain lists (anti-spam policies)
Looking at Mail flow rules first I can see that it is not recommended to use a mail flow rule without any other requirement in place. Like DMARC for example.
I initially thought DMARC might be an option but I can see from the mail header for the emails from sengrid that is seems to fail DMARC with the following error
spf=pass (sender IP is xx.xx.xx.xxx) smtp.mailfrom=email.suppliercompany.com; lxxx.xx.xx; dkim=pass (signature was verified) header.d=suppliercompany.com;lxxx.xx.xx; dmarc=fail action=quarantine header.from suppliercompany.lxxx.xx.xx;compauth=fail reason=000
SPF and DKIM both pass so I am unsure why DMARC then fails? The IP listed is Sengrid and we dont have this in our SPF so I assume it passes because we are excluding the email?
If we take this from our spam filter and send the email again would it then fail SPF?



