How to reject e-mails spoofing your own domain targeting your employees at Office365?

Question

One problem Office365 users deal with is that an external SMTP server can spoof the domain of an organization and send e-mails to the domain users; where the e-mails appear to be from employees of the organization. On the header the authentication results would look like this:

spf=none dmarc=none dkim=none (message not signed) (sender IP is x.x.x.x) 

smtp.mailfrom=theSpammer.xx; YourOwnDomain.com;  YourOwnDomain.com;  

header.from=YourOwnDomain.com;  action=none header.d=none;

When the authentication values (e.g.,SPF) are not set, we cannot reject the e-mail. The From can be set to anyone at the organization, but the Reply-To and Return-Path can be set to the spammers choice to keep communicating with the scam victim at the target organization.

Does anyone have a solid solution to prevent the spammer and phishers sending e-mails that spoof the organization domain to send e-mails to the employees on that domain?

There is a recommendation here: https://community.office365.com/en-us/f/148/t/239589 that suggest creating a transport rule that filters e-mails originating from outside of organization while the sender's domain is the organization's domain. Has anyone used that successfully?

Answer 1

You should modify your DNS settings to set up SPF for your domain, so email messages sent from an outside IP address are rejected. By the way, the recommendation you link to in your post aims to achieve the same result.

That would be the more effective technique. Failing to do so, your best bet would be to digitally sign all exchanged inter-domain emails and/or train your users, but I understand these are not always viable options.