This article addresses the issue of internal emails getting flagged as inbound and blocked by the Anti-Spoofing spam filter. Note that the Anti-Spam module is designed to only listen to and scan Inbound SMTP traffic. MailEssentials recognizes internal emails as inbound when it is not installed on the Exchange server or when the same Email Domain is spread through mail servers physically situated in different locations such as in hybrid setups having Exchange on-premise and Exchange Online (O365) using the same domain.
When internal emails (those sent from and to the same domain) are blocked, one of the below is true:
- The email is an auto-generated notification and is sent from a server, network device, or third-party software.
- Email is sent from a mobile device having its SMTP connection NOT authenticated
- Email is sent from an Email Client other than Microsoft Outlook and sends internal emails through unauthenticated SMTP rather than MAPI.
- Email is relayed through multiple Mail Servers internally, which communicate through SMTP between them.
- The same Email Domain is spread through mail servers physically situated in different locations and communicating outside the LAN.
- The sender claims to be from a local account but his SMTP connection is not authenticated.
The Anti-Spoofing filter performs the following steps sequentially:
- Verifies that the domain of the sender’s SMTP email address (Note: It does not check the MIME FROM email address) is listed in the local domains list.
- Verify if the connection is authenticated. In scenarios where senders send directly to the mail server (e.g. from a mobile mail client on the internet), the IP address of the sender wouldn’t always be known and therefore blocked if the SMTP connection is not authenticated.
- The plug-in then checks whether the connecting IP address originates from that domain by checking a list of trusted IPs. This list of trusted IPs is obtained both through a list of IP addresses specific to the Anti-Spoofing plug-in and also from the list of perimeter servers, which, if properly configured, should be the same as the IP addresses which send emails for the local domains.
- If the Anti-Spoofing functionality finds that the IP address is not specified in either list, the plug-in blocks the email, otherwise, the message is considered legitimate.
The following flowchart illustrates the process:
Follow the below steps to ensure that internal emails are not blocked by the filter:
- Stop SMTP or Exchange Transport Service.
- Open the GFI MailEssentials Configuration.
- Navigate to General Settings > Settings > Local Domains.
- Remove the domain from the list and click Apply.
- Go to the Whitelist (GFI MailEssentials > Anti-Spam > Whitelist), add the desired entries (in this case, *@domain) and then click Apply.
- Navigate back to Local Domains, re-add the domain and then click Apply.
- Go to Anti-Spam Filters > Anti-Spoofing and enable it then add the IP address or CIDR range of SMTP server(s) and then click Apply.
- Navigate to Filter Priority (GFI MailEssentials > Anti-Spam > Filter Priority) and make sure that Anti-Spoofing is above Whitelist.
- Restart the service stopped in step 1.
- Anti-Spoofing Filter will let through any internal email which has an authenticated connection with Exchange through SMTP. If the internal email makes it through Anti-Spoofing, the domain is whitelisted, so that it is not stopped by another filter.
- Enabling Anti-Spoofing is important to mitigate the risk of being impersonated by spammers since there will always be email addresses from the local domains in the Whitelist.
- By default, Use authorized IP addresses from perimeter servers list, and Do not block authenticated connections are enabled in the Anti-Spoofing configuration screen. It is recommended that these options stay enabled.
Send an internal test email (from and to the same local domain) and confirm that it was allowed through by the Anti-Spoofing filter by following the troubleshooting steps given in this linked article on Determining why the Anti-Spoofing Filter blocked or allowed a message.