Setting Up Domain Spoof Protection in Exchange 2013, Exchange 2016, or Office 365
The following instructions will show you how to create a rule in Exchange 2013, Exchange 2016, or Office 365 that will prevent your domain from being spoofed from outside your environment.
In this rule, we recommend setting up a rule to automatically delete messages that spoof your domain. This specific step can be modified to suit your organization's network and specific requirements (for example, quarantining or forwarding the message). We strongly recommend you test this rule before implementing it.
This rule will accomplish the following;
- Delete any inbound emails that originate from OUTSIDE your organization which appear as if they are coming from your domain/inside your organization. (domain spoof protection)
- Allow emails from KnowBe4’s servers to bypass this rule (so phishing tests can be conducted that look like they are coming from internal email accounts).
Note: This rule will only protect your users from outsiders who are trying to spoof your domain. It will not affect an external email from being sent using your domain to another email address (not to your organization). For simplicity’s sake, it will prevent emails from being sent to your users from outside your organization that look like they are originating from within your organization. But it will not prevent a person from sending someone else outside your organization an email that looks like it comes from your organization. That is typically handled with SPF record management which is not covered in this document.
First, log into your Exchange or Office 365 portal and go into the Admin>Exchange area. Note: the below screenshots display an Office 365 environment.
Office 365 Exchange Admin Area:
Next, you'll start creating the new rule:
Click on the mail flow section 1 and then click the + sign 2 in the right-hand area and select “Create a new rule…" 3
New Rule Screen:
Creating the rule:
Give the rule a relevant name, such as Domain Spoof Prevention. Click on "more options".
Choose “Apply this rule if…” and select "The sender is internal/external". Then select the location of "outside the organization". 4
Add a condition and then choose “The sender's domain is” and input your organization’s email domain(s). 5
Then choose a reaction. In our case, we chose to delete the message, however if you wish you can choose other options based on your security policies. To automatically delete the messages which spoof your domain, choose "Block the message" and then "delete the message without notifying anyone". 6
Add an exception for KnowBe4 (or any other external organization who may need to send an email as if it is coming from your domain to your users, e.g. Hubspot) Choose “Sender’s IP address is in any of these ranges or exactly matches…” and fill in the IP Addresses of the external organization’s mail server. 7
In our case the IP Addresses are:
(For more Whitelisting information CLICK HERE)
Lastly, choose to Match sender address in message and select “Header or envelope”. 8
Be sure to save your new rule once all settings match