EOP 如何验证"自"地址以防止钓鱼How EOP validates the From address to prevent phishing

重要

改进的 Microsoft 365 安全中心现已提供公共预览版。The improved Microsoft 365 security center is now available in public preview. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new. 本主题可能同时适用于 Microsoft Defender for Office 365 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. 请参阅 适用对象 部分,并查找本文中可能存在差异的特定标注。Refer to the Applies To section and look for specific call-outs in this article where there might be differences.

适用对象Applies to

网络钓鱼攻击是任何电子邮件组织的一个持续威胁。Phishing attacks are a constant threat to any email organization. 除了在发件人 电子邮件地址 (欺骗) ,攻击者通常使用"发件人"地址中违反 Internet 标准的值。In addition to using spoofed (forged) sender email addresses, attackers often use values in the From address that violate internet standards. 为了帮助防止此类网络钓鱼,Exchange Online Protection (EOP) 和 Outlook.com 现在要求入站邮件包含与 RFC 兼容的"源"地址,如本文所述。To help prevent this type of phishing, Exchange Online Protection (EOP) and Outlook.com now require inbound messages to include an RFC-compliant From address as described in this article. 2017 年 11 月启用此强制。This enforcement was enabled in November 2017.

注意Notes:

  • 如果您定期收到来自具有本文所述格式错误的"From"地址的组织的电子邮件,则鼓励这些组织更新其电子邮件服务器以符合现代安全标准。If you regularly receive email from organizations that have malformed From addresses as described in this article, encourage these organizations to update their email servers to comply with modern security standards.

  • 代表发送 (和邮件列表使用的相关发件人) 字段不受这些要求的影响。The related Sender field (used by Send on Behalf and mailing lists) isn't affected by these requirements. 有关详细信息,请参阅以下博客文章:我们引用电子邮件的"发件人"时意味着什么?。For more information, see the following blog post: What do we mean when we refer to the 'sender' of an email?.

电子邮件标准的概述An overview of email message standards

标准 SMTP 电子邮件由 邮件信封 和邮件内容组成。A standard SMTP email message consists of a message envelope and message content. 邮件信封包含在 SMTP 服务器之间传输和传递邮件所需的信息。The message envelope contains information that's required for transmitting and delivering the message between SMTP servers. 邮件内容包含邮件头字段(统称为 邮件头)和邮件正文。The message content contains message header fields (collectively called the message header) and the message body. 邮件信封在 RFC 5321中介绍,邮件头在 RFC 5322 中介绍The message envelope is described in RFC 5321, and the message header is described in RFC 5322. 收件人永远不会看到实际的邮件信封,因为它是由邮件传输过程生成的,实际上并不是邮件的一部分。Recipients never see the actual message envelope because it's generated by the message transmission process, and it isn't actually part of the message.

  • 地址 5321.MailFrom (MAIL FROM 地址、P1 发件人或信封发件人) 是在邮件的 SMTP 传输中使用的电子邮件地址。The 5321.MailFrom address (also known as the MAIL FROM address, P1 sender, or envelope sender) is the email address that's used in the SMTP transmission of the message. 虽然发件人可以指定不同的"返回路径"电子邮件地址 (但此电子邮件地址通常记录在邮件头的"返回路径") 。 This email address is typically recorded in the Return-Path header field in the message header (although it's possible for the sender to designate a different Return-Path email address).

  • The 5322.From (also known as the From address or P2 sender) is the email address in the From header field, and is the sender's email address that's displayed in email clients.The 5322.From (also known as the From address or P2 sender) is the email address in the From header field, and is the sender's email address that's displayed in email clients. "From"地址是本文中要求的重点。The From address is the focus of the requirements in this article.

"源"地址在若干 RFC 中详细定义 (例如 RFC 5322 第 3.2.3、3.4 和 3.4.1 节以及 RFC 3696) 。The From address is defined in detail across several RFCs (for example, RFC 5322 sections 3.2.3, 3.4, and 3.4.1, and RFC 3696). 寻址和被视为有效或无效的寻址有许多变化。There are many variations on addressing and what's considered valid or invalid. 为保持简单,我们建议采用以下格式和定义:To keep it simple, we recommend the following format and definitions:

From: "Display Name" <EmailAddress>

  • 显示名称:描述电子邮件地址所有者的可选短语。Display Name: An optional phrase that describes the owner of the email address.

    • 我们建议您始终使用双引号显示名称双引号 (") ,如下所示。We recommend that you always enclose the display name in double quotation marks (") as shown. 如果显示名称 逗号,则必须 将每个 RFC 5322 的字符串括在双引号中。If the display name contains a comma, you must enclose the string in double quotation marks per RFC 5322.
    • 如果"发送地址"显示名称,则 EmailAddress 值必须括在尖括号 (< >) 如下所示。If the From address includes a display name, the EmailAddress value must be enclosed in angle brackets (< >) as shown.
    • Microsoft 强烈建议你在电子邮件地址和 显示名称之间插入空格。Microsoft strongly recommends that you insert a space between the display name and the email address.
  • EmailAddress: 电子邮件地址使用格式 local-part@domainEmailAddress: An email address uses the format local-part@domain:

    • local-part: 标识与地址关联的邮箱的字符串。local-part: A string that identifies the mailbox associated with the address. 此值在域中是唯一的。This value is unique within the domain. 通常,使用邮箱所有者的用户名或 GUID。Often, the mailbox owner's username or GUID is used.
    • :托管由电子邮件地址的本地部分标识的邮箱 (FQDN 的完全限定域名) FQDN。domain: The fully qualified domain name (FQDN) of the email server that hosts the mailbox identified by the local-part of the email address.

    对于 EmailAddress 值,有一些额外的注意事项:These are some additional considerations for the EmailAddress value:

    • 只有一个电子邮件地址。Only one email address.
    • 建议您不要将尖括号与空格分开。We recommend that you do not separate the angle brackets with spaces.
    • 电子邮件地址后不要包含其他文本。Don't include additional text after the email address.

有效和无效的 From 地址示例Examples of valid and invalid From addresses

以下"来源"电子邮件地址有效:The following From email addresses are valid:

  • From: sender@contoso.com

  • From: <sender@contoso.com>

  • From: < sender@contoso.com > (建议不要这样做,因为尖括号和电子邮件地址之间存在空格。) From: < sender@contoso.com > (Not recommended because there are spaces between the angle brackets and the email address.)

  • From: "Sender, Example" <sender.example@contoso.com>

  • From: "Microsoft 365" <sender@contoso.com>

  • From: Microsoft 365 <sender@contoso.com> (不建议使用,显示名称双引号括起来。) From: Microsoft 365 <sender@contoso.com> (Not recommended because the display name is not enclosed in double quotation marks.)

以下"From"电子邮件地址无效:The following From email addresses are invalid:

  • 否"来自 地址":某些自动邮件不包括"自"地址。No From address: Some automated messages don't include a From address. 过去,当 Microsoft 365 或 Outlook.com 收到不含"收件人"地址的邮件时,该服务添加了以下默认 From: 地址,使邮件可交付:In the past, when Microsoft 365 or Outlook.com received a message without a From address, the service added the following default From: address to make the message deliverable:

    From: <>

    现在,不再接受地址为空的邮件。Now, messages with a blank From address are no longer accepted.

  • From: Microsoft 365 sender@contoso.com (存在显示名称,但电子邮件地址未括在尖括号中。) From: Microsoft 365 sender@contoso.com (The display name is present, but the email address is not enclosed in angle brackets.)

  • From: "Microsoft 365" <sender@contoso.com> (Sent by a process) (电子邮件地址后添加文本。) From: "Microsoft 365" <sender@contoso.com> (Sent by a process) (Text after the email address.)

  • From: Sender, Example <sender.example@contoso.com> (The 显示名称 the 显示名称 contains a comma, but is not enclosed in double quotation marks.) From: Sender, Example <sender.example@contoso.com> (The display name contains a comma, but is not enclosed in double quotation marks.)

  • From: "Microsoft 365 <sender@contoso.com>" (整个值错误地括在双引号中。) From: "Microsoft 365 <sender@contoso.com>" (The whole value is incorrectly enclosed in double quotation marks.)

  • From: "Microsoft 365 <sender@contoso.com>" sender@contoso.com (存在显示名称,但电子邮件地址未括在尖括号中。) From: "Microsoft 365 <sender@contoso.com>" sender@contoso.com (The display name is present, but the email address is not enclosed in angle brackets.)

  • From: Microsoft 365<sender@contoso.com> (左尖括号显示名称之间没有空格。) From: Microsoft 365<sender@contoso.com> (No space between the display name and the left angle bracket.)

  • From: "Microsoft 365"<sender@contoso.com> (双引号和左尖括号之间没有空格) From: "Microsoft 365"<sender@contoso.com> (No space between the closing double quotation mark and the left angle bracket.)

禁止自动答复自定义域Suppress auto-replies to your custom domain

该值不能用于禁止 From: <> 自动答复。You can't use the value From: <> to suppress auto-replies. 相反,你需要为自定义域设置空 MX 记录。Instead, you need to set up a null MX record for your custom domain. 自动答复 (以及所有) 都自然被抑制,因为响应服务器无法向该地址发送邮件的已发布地址。Auto-replies (and all replies) are naturally suppressed because there is no published address that the responding server can send messages to.

  • 选择无法接收电子邮件的电子邮件域。Choose an email domain that can't receive email. 例如,如果你的主域 contoso.com,你可能会选择"noreply.contoso.com"。For example, if your primary domain is contoso.com, you might choose noreply.contoso.com.

  • 此域的空 MX 记录由单个时间段组成。The null MX record for this domain consists of a single period.

例如:For example:

noreply.contoso.com IN MX .

有关设置 MX 记录的信息,请参阅在任何 DNS 托管提供商为 Microsoft 365创建 DNS 记录。For more information about setting up MX records, see Create DNS records at any DNS hosting provider for Microsoft 365.

有关发布空 MX 的信息,请参阅RFC 7505。For more information about publishing a null MX, see RFC 7505.

替代自地址强制Override From address enforcement

若要绕过入站电子邮件的发件人地址要求,可以使用 IP 允许列表 (连接筛选) 或邮件流规则 (也称为传输规则) 如在 Microsoft 365中创建安全发件人列表中所述。To bypass the From address requirements for inbound email, you can use the IP Allow List (connection filtering) or mail flow rules (also known as transport rules) as described in Create safe sender lists in Microsoft 365.

无法覆盖从 Microsoft 365 发送的出站电子邮件的"发送地址"要求。You can't override the From address requirements for outbound email that you send from Microsoft 365. 此外,Outlook.com 即使支持,也不允许进行任何类型的覆盖。In addition, Outlook.com will not allow overrides of any kind, even through support.

在 Microsoft 365 中防止和防范网络攻击的其他方法Other ways to prevent and protect against cybercrimes in Microsoft 365

若要详细了解如何加强组织防御网络钓鱼、垃圾邮件、数据泄露和其他威胁,请参阅保护 Microsoft 365商业版计划的十大方法。For more information on how you can strengthen your organization against phishing, spam, data breaches, and other threats, see Top 10 ways to secure Microsoft 365 for business plans.