This sender failed our fraud detection checks ...


  • hi Everyone,

    Today one of our internal user received an email. the email body contains a disclaimer

    "[This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at]"

    I know that email is a spoofed email but I don't know how the above text came in the email?

    We are using exchange online protection with Onprem Exchange 2013 CU5. I ran EOP PS but Get-MessageTraceDetail is not showing anything like Action Applied ".." like it shows for external email attachment disclaimer.

    the msg details only have

    Spam Diagnostics
    Send External

    No Transport rule Actions. Help needed.

    Also is there any way to see that an inbound email to EOP after receive event, passes all these transport rule but only few applied, any PS to check this.




    Thursday, May 18, 2017 3:36 AM

All replies

  • I recommend that you post in a forum specific to EOP.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, May 19, 2017 12:25 AM
  • Hello Zak,

    Base on your error message, it might be a spoofed email, or not, However, the root cause of it is an incorrectly configured Sender Policy Framework (SPF) record that does not specify the IP address of the server or host that sent the junked email as an allowed sender.

    Therefore, to fix it, the sender’s domain administrator should register its domain with correct SPF record.

    More details about How antispoofing protection works in Office 365, refer to:

    Best Regards,

    Allen Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, May 19, 2017 11:07 AM