Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
968
Views
0
Helpful
4
Replies

SharePoint Online Email Content Filter Question

geobec15
Beginner
Beginner

‎05-17-2022 04:25 PM

I want to add a header to SharePoint Online emails that will allow it to bypass our FED quarantine content rule.  When an executive in our FED dictionary requests access to a SharePoint Online resource or leaves a comment in a document, the email winds up quarantined by FED because the SharePoint Online notifications use the display name of the O365 user as the display name of the email.

 

I have a content rule that checks if the sender is no-reply@sharepointonline.com, and checks to see if the ARC-Authentication-Results header contains dmarc=pass and header.d=sharepointonline.com and if all those conditions are true, then insert the header. 

 

What would be great would be a condition in the content filters if DMARC verification = pass however that doesn't exist yet and hence my kludgy work around.  It was working for a bit however now it has stopped.  Is anyone else using a content filter to check if a SharePoint Online email passed DMARC?  If so how are you doing that? 

Labels:
0 Helpful
4 Replies 4

UdupiKrishna
Cisco Employee
Cisco Employee

‎05-18-2022 06:00 PM

If the new messages which are now being caught by FED contain the correct authentication result headers (which includes DMARC results) the filter should still work.

 

Did you have a chance to look at the headers and see if something has changed. Logically the sharepoint filter should be processed prior to the FED filter for it work effectively, i am sure you know that already. Can you paste a copy of latest headers, filter configuration for reference?

0 Helpful

geobec15
Beginner
Beginner

‎05-20-2022 11:35 AM

The filter config is:

FED_SHAREPOINT_BYPASS: if (mail-from == "no-reply@sharepointonline.com") AND (header("ARC-Authentication-Results") == "dmarc=pass") AND (header("ARC-Authentication-Results") == "header.d=sharepointonline.com") { insert-header("header_name_redacted", "POSITIVE"); }

I attached the authentication headers and redacted some information (not sure I needed to but I did).  Specifically here is the ARC-Authentication-Results header that the content rule should be checking and it sure looks to me like it matches the condition.

ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=fail (sender ip is
ironport_IP_address) smtp.rcpttodomain=ourdomain.com
smtp.mailfrom=sharepointonline.com; dmarc=pass (p=reject sp=reject pct=100)
action=none header.from=sharepointonline.com; dkim=pass (signature was
verified) header.d=sponaeop.onmicrosoft.com; dkim=pass (signature was
verified) header.d=sharepointonline.com; arc=pass (0 oda=0 ltdi=1)

Yes you are correct I have it prior to the FED filter, the FED filter has a condition on it.  I searched the SMA to find one where the content filter worked in the past and now I am not sure if the content filter ever worked. It may have just been coincidence where there was a stretch where an executive in the FED dictionary didn't request access to a SharePoint Online file.

Preview file
5 KB
0 Helpful