Enhanced Filtering for Connectors (EFC) helps ensure that emails retain their original IP address and sender information when being routed through various services before being routed to Exchange Online by allowing for more accurate identification of spoofing attempts.
We’re rolling out an update that will reclassify messages with authentication issues and reduce false positives (e.g., the misidentification of legitimate emails as spoofed).
What's changing?
When email messages travel through different servers, they can get modified along the way. Sometimes, these modifications unintentionally break the authentication process. Specifically, if a previous server in the chain doesn’t support a protocol called Authenticated Received Chain (ARC), it can lead to authentication failures. Authentication failures can occur where DomainKeys Identified Mail (DKIM) is the only source of alignment for Domain-based Message Authentication Reporting & Conformance (DMARC). With the changes we are rolling out, messages that would have previously failed email spoof checks will now have composite authentication compauth=none instead of compauth=fail. This will allow Exchange Online Protection (EOP) to recognize the failed DKIM due to modifications. This change will introduce new compauth codes of 4xx and 9xx.
What is expected after the change?
- Decrease in False Positives: Legitimate emails that were previously mislabeled as spoofed will now be correctly identified.
- Enhanced Accuracy: The accuracy of the filtering stack and machine learning models will be improved, leading to better detection and prevention of spoofing and phishing attempts.
- Reliable Email Authentication: The use of SPF (Sender Policy Framework), DKIM, and DMARC will be more effective in establishing the reputation of sending domains, further aiding in the detection of impersonation and spoofing.
What should email and security admins do?
The change will rollout starting in early June 2024 and will be complete by mid-July 2024. It will be enabled by default for all tenants using Enhanced Filtering for Connectors, requiring no additional action from admins.
If your organization is using an Exchange Transport Rule (ETR) to bypass spam filtering when third-party filtering services are used, consider removing the ETR knowing that messages that had previously failed DKIM checks should be delivered to inboxes correctly after this change is rolled out. We will identify DKIM signatures that would have passed if a trusted third-party service had not modified the information.
This will allow you to deploy a defense-in-depth strategy for email messages, using your initial solution and Microsoft Defender for Office 365. Note, messages failing DKIM even without third-party intervention will continue to fail.
Finally, we strongly recommend organizations to adopt ARC whenever possible to preserve the original authentication statements in email messages.
Additional information
If your organization is already using EFC, you will find this change announced in the Message Center soon.
Microsoft Defender for Office 365 Team