Sender ID procedures
Sender ID detects spoofed email messages by using the Sender Policy Framework (SPF) record in DNS to compare the source IP address with the domain in the sender's email address. For more information about Sender ID and the Sender ID agent, see Sender filtering
What do you need to know before you begin?
Estimated time to complete each procedure: 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Antispam features" entry in the Antispam and antimalware permissions topic.
You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
By default, antispam features aren't enabled in the Transport service on a Mailbox server. Typically, you only enable the antispam features on a Mailbox server if your Exchange organization doesn't do any prior antispam filtering before accepting incoming messages. For more information, see Enable antispam functionality on Mailbox servers.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.
Use the Exchange Management Shell to enable or disable Sender ID
To disable Sender ID, run the following command:
Set-SenderIDConfig -Enabled $false
To enable Sender ID, run the following command:
Set-SenderIDConfig -Enabled $true
Note
When you disable Sender ID, the underlying Sender ID agent is still enabled. To disable the Sender ID agent, run the command: Disable-TransportAgent "Sender ID Agent".
How do you know this worked?
To verify that you have successfully enabled or disabled Sender ID, run the following command to verify the Enabled property value:
Get-SenderIDConfig | Format-List Enabled
Use the Exchange Management Shell to enable or disable Sender ID for external connections
By default, Sender ID is enabled for external (unauthenticated) SMTP connections.
To disable sender filtering for external connections, run the following command:
Set-SenderIDConfig -ExternalMailEnabled $false
To enable Sender ID for external connections, run the following command:
Set-SenderIDConfig -ExternalMailEnabled $true
How do you know this worked?
To verify that you have successfully enabled or disabled Sender ID for external SMTP connections, run the following command to verify the ExternalMailEnabled property value:
Get-SenderFilterConfig | Format-List ExternalMailEnabled
Use the Exchange Management Shell to enable or disable Sender ID for internal connections
As a best practice, you don't need to apply antispam filters to messages from trusted partners or from inside your organization. To reduce the chance that filters will mishandle legitimate email messages, you typically configure antispam agents to only run on messages from external sources.
To enable Sender ID for internal (authenticated) SMTP connections, run the following command:
Set-SenderIDConfig -InternalMailEnabled $true
To disable Sender ID for internal connections, run the following command:
Set-SenderIDConfig -InternalMailEnabled $false
How do you know this worked?
To verify that you have successfully enabled or disabled Sender ID for internal SMTP connections, run the following command to verify the InternalMailEnabled property value:
Get-SenderIDConfig | Format-List InternalMailEnabled
Use the Exchange Management Shell to configure the Sender ID action for spoofed messages
To configure the Sender ID action for spoofed messages, use the following syntax:
Set-SenderIDConfig -SpoofedDomainAction <StampStatus | Reject | Delete>
This example configures the Sender ID agent to reject any messages with a 5 xx SMTP error response when sender's domain has an SPF record, and the IP address of the source server isn't listed as an authoritative server for the domain (the Sender ID status is Fail).
Set-SenderIDConfig -SpoofedDomainAction Reject
How do you know this worked?
To verify that you have successfully configured the Sender ID action for spoofed messages, run the following command to verify the SpoofedDomainAction property value:
Get-SenderIDConfig | Format-List SpoofedDomainAction
Use the Exchange Management Shell to configure the Sender ID action for transient errors
To configure the Sender ID action for transient errors, use the following syntax:
Set-SenderIDConfig -TempErrorAction <StampStatus | Reject | Delete>
This example configures the Sender ID agent to stamp the messages when the Sender ID status can't be determined due to a temporary DNS server error (the Sender ID status is TempError). The message will be processed by other antispam agents and the Content Filter agent will use the mark when determining the SCL value for the message.
Set-SenderIDConfig -TempErrorAction StampStatus
Note that StampStatus is the default value for the TempErrorAction parameter.
How do you know this worked?
To verify that you have successfully configured the Sender ID action for transient errors, run the following command to verify the TempErrorAction property value:
Get-SenderIDConfig | Format-List TempErrorAction
Use the Exchange Management Shell to configure recipient and sender domain exceptions
To replace the existing values, run the following command:
Set-SenderIDConfig -BypassedRecipients <recipient1,recipient2...> -BypassedSenderDomains <domain1,domain2...>
This example configures the Sender ID agent to bypass the Sender ID check for messages sent to kim@contoso.com and john@contoso.com, and to bypass the Sender ID check for messages sent from the fabrikam.com domain.
Set-SenderIDConfig -BypassedRecipients kim@contoso.com,john@contoso.com -BypassedSenderDomains fabrikam.com
To add or remove entries without modifying other existing values, use the following syntax:
Set-SenderIDConfig -BypassedRecipients @{Add="<recipient1>","<recipient2>"...; Remove="<recipient1>","<recipient2>"...} -BypassedSenderDomains @{Add="<domain1>","<domain2>"...; Remove="<domain1>","<domain2>"...}
This example configures the Sender ID agent with the following settings:
Add chris@contoso.com and michelle@contoso.com to the list of existing recipients who bypass the Sender ID check.
Remove tailspintoys.com from the list of existing domains that bypass the Sender ID check.
Set-SenderIDConfig -BypassedRecipients @{Add="chris@contoso.com","michelle@contoso.com"} -BypassedSenderDomains @{Remove="tailspintoys.com"}
How do you know this worked?
To verify that you have successfully configured recipient and sender domain exceptions, run the following command to verify the property values:
Get-SenderIDConfig | Format-List BypassedRecipients,BypassedSenderDomains