Showing results for 
Search instead for 
Did you mean: 

SharePoint Online Email Content Filter Question


I want to add a header to SharePoint Online emails that will allow it to bypass our FED quarantine content rule.  When an executive in our FED dictionary requests access to a SharePoint Online resource or leaves a comment in a document, the email winds up quarantined by FED because the SharePoint Online notifications use the display name of the O365 user as the display name of the email.


I have a content rule that checks if the sender is, and checks to see if the ARC-Authentication-Results header contains dmarc=pass and and if all those conditions are true, then insert the header. 


What would be great would be a condition in the content filters if DMARC verification = pass however that doesn't exist yet and hence my kludgy work around.  It was working for a bit however now it has stopped.  Is anyone else using a content filter to check if a SharePoint Online email passed DMARC?  If so how are you doing that? 

4 Replies 4

Cisco Employee
Cisco Employee

If the new messages which are now being caught by FED contain the correct authentication result headers (which includes DMARC results) the filter should still work.


Did you have a chance to look at the headers and see if something has changed. Logically the sharepoint filter should be processed prior to the FED filter for it work effectively, i am sure you know that already. Can you paste a copy of latest headers, filter configuration for reference?


The filter config is:

FED_SHAREPOINT_BYPASS: if (mail-from == "") AND (header("ARC-Authentication-Results") == "dmarc=pass") AND (header("ARC-Authentication-Results") == "") { insert-header("header_name_redacted", "POSITIVE"); }

I attached the authentication headers and redacted some information (not sure I needed to but I did).  Specifically here is the ARC-Authentication-Results header that the content rule should be checking and it sure looks to me like it matches the condition.

ARC-Authentication-Results: i=2; 1; spf=fail (sender ip is
ironport_IP_address); dmarc=pass (p=reject sp=reject pct=100)
action=none; dkim=pass (signature was
verified); dkim=pass (signature was
verified); arc=pass (0 oda=0 ltdi=1)

Yes you are correct I have it prior to the FED filter, the FED filter has a condition on it.  I searched the SMA to find one where the content filter worked in the past and now I am not sure if the content filter ever worked. It may have just been coincidence where there was a stretch where an executive in the FED dictionary didn't request access to a SharePoint Online file.