Documentation Home > Exchange Anti-Spam Toolkit

Exchange Anti-Spam Toolkit Sender Filter

The Sender Filter allows filtering based on Sender ID (SPF), sender reputation including open-proxy detection, blocking of messages with blank senders, as well as a static list of Blocked Senders.

The Sender ID (SPF) filtering can be bypassed for specific recipients or senders by configuring the appropriate lists of Allowed Recipients and Allowed Senders.

The Sender Filter, Sender Reputation and Sender ID Validation filters can be enabled and disabled independently, including for internal and external messages.

Apart from Sender ID Validation, messages filtered by the Sender Filter are either deleted or rejected during the SMTP session (these filters do not provide the ability to mark or quarantine messages).

We recommend enabling the Sender Filter, Sender Reputation and Sender ID Validation in virtually all environments. The filtering and validation mechanisms they provide are effective and well-supported. False positives which result from these filters are almost always the result of a serious misconfiguration in sender's environment, which will result in major email deliverability problems for that sender, as many other mail servers apart from Exchange perform similar filtering.

Sender Filter

The Sender Filter provides the following capabilities:

  • Blocking of messages with blank senders
  • Blocking of specific sender addresses or domains defined on the Exchange server
  • Blocking of specific sender addresses or domains, as defined in individual user mailboxes (using Junk Email options in Outlook or Outlook Web App)

Blank Sender Blocking Enabled

If blank sender blocking is enabled, messages which do not contain a valid email address in the SMTP MAIL FROM command will be rejected.

Blocked Senders

Blocked Senders allows you to define a list of sender addresses on the Exchange server which will be blocked. Blocked Sender Domains allows entire domains to be blocked.

If a sender address matches either of these lists, the message will be blocked. There are no exceptions or exclusion criteria possible if the sender address matches an entry on either of these lists.

Recipient Blocked Sender Action

In addition to the list of Blocked Senders defined here, users individual users can define their own lists of Blocked Senders using Outlook or Outlook Web App.

The Recipient Blocked Sender Action determines whether messages from senders which match an individual user's block list will be Rejected or Deleted.

Sender Reputation

Sender Reputation uses protocol analysis to analyze characteristics of the sender during the SMTP conversation. The analysis includes validation of the domain name provided in the HELO/EHLO SMTP command, reverse DNS validation, analysis of historical SCL ratings for the sender and an open proxy test.

Exchange uses analysis of these characteristics to calculate a Sender Reputation Level (SRL) for each sender. For details, see Sender reputation and the Protocol Analysis agent in Exchange Server .

Sender Reputation Level (SRL) Block Threshold

Messages with a Sender Reputation Level (SRL) rating greater than or equal to the SRL Block Threshold will be rejected if Sender Blocking is enabled.

We are not aware of any way by which the SRL values assigned to a particular sender or message can be viewed in Exchange. They are not stamped on messages (like the SCL value) and there are no PowerShell cmdlets or log files in which they are visible. Furthermore, the exact way in which the SRL is calculated is not disclosed by Microsoft. Therefore it is hard to recommend changing the default SRL Block Threshold value as it is extremely hard to measure its impact.

The types of checks done by the Sender Reputation filter are however sound (in fact, apart from historical SCL analysis, they are quite basic) and most other mail servers perform the same types of checks. Therefore, we recommend enabling Sender Blocking. It is hard to imagine any legitimate mail being blocked via these filters, as it would require a serious misconfiguration on the part of the sender. The sender would likely discover this quite quickly as virtually all other mail servers would also reject their messages.

Open Proxy Detection Enabled

If Open Proxy Detection is enabled, Exchange will attempt to connect to the source IP address of the message to perform an open proxy test by sending a test message to the Exchange server. If the source IP address is an open proxy, the sender will be blocked.

Sender Blocking Period (hours)

When Sender Blocking is enabled and a sender meets or exceeds the value defined for SRL Block Threshold, this setting determines how many hours the sender will remain on the blocked senders list. The value can be between 0 and 48 hours.

Sender ID Validation

Sender ID Validation uses Sender Policy Framework (SPF) DNS records to validate whether the sending IP address (obtained from the Received header of the message) is authorized to send mail for that domain. It can be configured to simply mark messages ("stamp status"), or reject or delete messages which fail SPF validation checks.

It should be noted that Sender ID validation in Exchange relies exclusively on SPF records and does not support DKIM (DomainKeys) or DMARC records. SPF is however much more widely supported and still a very useful filtering tool. Senders who do not have any SPF records will never be blocked. For a detailed description, see Sender ID in Exchange Server.

Spoofed Domain Action

The Spoofed Domain Action specifies the action to take when a message fails SPF validation, that is, the sender IP address is not authorized to send messages for that domain. The Spoofed Domain Action applies only to hard SPF failures (not soft failures). Note that messages are always stamped when Sender ID validation is enabled, and there are additional, more detailed statuses used in message stamping (see Sender ID in Exchange Server for details).

If desired, rejection of soft SPF failures can be accomplished by the creating of a custom Transport Rule in Exchange which detects the SoftFail status in the Received-SPF header.

Temp Error Action

The Temp Error Action specifies the action to take when the DNS server or DNS records for the sending domain cannot be contacted.

SPF records are very widely deployed and the basic specification has existed since at least 2002. While it is quite a useful filtering technique and we recommend enabling it, experience has shown that there are still occasional issues with senders who have misconfigured SPF records. When these senders are identified, they can be added to the Allowed Senders list to allow their messages to bypass Sender ID validation.

It should be noted that these senders will almost certainly have serious deliverability issues to many other mail servers. Of particular note would be Gmail as the service blocks not only hard SPF failures but soft SPF failures as well.

Allowed Recipients

Messages sent to a recipient on the Allowed Recipients list will bypass Sender ID filtering.

Allowed Sender Domains

Messages sent from a domain on the Allowed Sender Domains list will bypass Sender ID filtering.