Sender ID detects spoofed email messages by using the Sender Policy Framework (SPF) record in DNS to compare the source IP address with the domain in the sender's email address. For more information about Sender ID and the Sender ID agent, see Sender filtering
What do you need to know before you begin?
Estimated time to complete each procedure: 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Antispam features" entry in the Antispam and antimalware permissions topic.
You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
By default, antispam features aren't enabled in the Transport service on a Mailbox server. Typically, you only enable the antispam features on a Mailbox server if your Exchange organization doesn't do any prior antispam filtering before accepting incoming messages. For more information, see Enable antispam functionality on Mailbox servers.
Use the Exchange Management Shell to enable or disable Sender ID
To disable Sender ID, run the following command:
Set-SenderIDConfig -Enabled $false
To enable Sender ID, run the following command:
Set-SenderIDConfig -Enabled $true
Note
When you disable Sender ID, the underlying Sender ID agent is still enabled. To disable the Sender ID agent, run the command: Disable-TransportAgent "Sender ID Agent".
How do you know this worked?
To verify that you have successfully enabled or disabled Sender ID, run the following command to verify the Enabled property value:
Get-SenderIDConfig | Format-List Enabled
Use the Exchange Management Shell to enable or disable Sender ID for external connections
By default, Sender ID is enabled for external (unauthenticated) SMTP connections.
To disable sender filtering for external connections, run the following command:
Set-SenderIDConfig -ExternalMailEnabled $false
To enable Sender ID for external connections, run the following command:
Set-SenderIDConfig -ExternalMailEnabled $true
How do you know this worked?
To verify that you have successfully enabled or disabled Sender ID for external SMTP connections, run the following command to verify the ExternalMailEnabled property value:
Use the Exchange Management Shell to enable or disable Sender ID for internal connections
As a best practice, you don't need to apply antispam filters to messages from trusted partners or from inside your organization. To reduce the chance that filters will mishandle legitimate email messages, you typically configure antispam agents to only run on messages from external sources.
To enable Sender ID for internal (authenticated) SMTP connections, run the following command:
Set-SenderIDConfig -InternalMailEnabled $true
To disable Sender ID for internal connections, run the following command:
Set-SenderIDConfig -InternalMailEnabled $false
How do you know this worked?
To verify that you have successfully enabled or disabled Sender ID for internal SMTP connections, run the following command to verify the InternalMailEnabled property value:
This example configures the Sender ID agent to reject any messages with a 5 xx SMTP error response when sender's domain has an SPF record, and the IP address of the source server isn't listed as an authoritative server for the domain (the Sender ID status is Fail).
Set-SenderIDConfig -SpoofedDomainAction Reject
How do you know this worked?
To verify that you have successfully configured the Sender ID action for spoofed messages, run the following command to verify the SpoofedDomainAction property value:
This example configures the Sender ID agent to stamp the messages when the Sender ID status can't be determined due to a temporary DNS server error (the Sender ID status is TempError). The message will be processed by other antispam agents and the Content Filter agent will use the mark when determining the SCL value for the message.
Set-SenderIDConfig -TempErrorAction StampStatus
Note that StampStatus is the default value for the TempErrorAction parameter.
How do you know this worked?
To verify that you have successfully configured the Sender ID action for transient errors, run the following command to verify the TempErrorAction property value:
Get-SenderIDConfig | Format-List TempErrorAction
Use the Exchange Management Shell to configure recipient and sender domain exceptions
To replace the existing values, run the following command:
This example configures the Sender ID agent to bypass the Sender ID check for messages sent to kim@contoso.com and john@contoso.com, and to bypass the Sender ID check for messages sent from the fabrikam.com domain.
This module examines how Microsoft Defender for Office 365 extends EOP protection through various tools, including Safe Attachments, Safe Links, spoofed intelligence, spam filtering policies, and the Tenant Allow/Block List.
Summary: Learn how you can use sender filtering in Exchange Server 2016 and Exchange Server 2019 to block messages from specific senders, and the action to take on messages from those blocked senders.
Summary: Learn how to enable, disable, and configure sender filtering in Exchange Server 2016 and Exchange Server 2019, and how to verify the sender filtering settings.
Summary: Use the Install-AntispamAgents.ps1 PowerShell script to install and enable the built-in Exchange antispam agents on a Mailbox server using Exchange Server 2016 and Exchange Server 2019.
Summary: Learn how recipient filtering on an Edge Transport server in Exchange Server 2016 and Exchange Server 2019 blocks inbound messages that are sent to specific or non-existent recipients.
Summary: Learn how connection filtering in Exchange Server 2016 and Exchange Server 2019 evaluates incoming email messages to determine whether a connection should be allowed or blocked based on its IP address.
Summary: Learn how content filtering in Exchange Server 2016 and Exchange Server 2019 evaluates inbound email messages to see if they're legitimate or spam.