Exchange Online EOP and Send of Behalf

Some one asked me recently about an interesting scenario on which emails are send on behalf of another party, and how Exchange Online Protection (EOP) will act in this case.

There are two FROM values in the SMTP world:

  • RFC 5321  (MailFrom)
  • RFC 5322 (From)

Outlook displays the RDC 5322 From address to end users, and this is the address that is used in the user’s safe sender list.

EOP inspects both values for blocked and allowed senders and domains. Exchange Online Protection EOP and outlook handle safe sender lists differently.

In most cases, those two values are the same which is normal. Things become interesting when someone is sending emails on behalf of another party. Let us take a simple example:

Mailfrom vs MAIL RFC

  • Contoso corporation is trying to send email to their customers and they contracted with third party to send their news emails.
  • The contractor company sends the news email on behalf of contoso.
  • The email that was sent has the following values:
    • RFC 5321 MailFrom: news@externalparty.com
    • RFC 5322 From: news@contoso.com
  • One of the customers who are using EOP receives the news email, and in Outlook, he can see that the sender is news@contoso.com.
  • The user added this address to the safe list senders.
  • Because EOP inspect both RFC from addresses, the next time an email was sent by the contractor, EOP will white-list that email respecting the user’s safe list.

Usually the RFC5321 address is the one used by EOP to do SPF checks and send NDR or bounced messages.

Reference article:

https://technet.microsoft.com/en-us/library/dn463985(v=exchg.150).aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s