I have an interesting issue with Exchange where it appears to check and stamp spoofed messages from external domains but not ones it has setup to send from. For example I can spoof a message from 1@example.com where example.com has a valid SPF record and Exchange will check it and mark it as Junk in Outlook. When I send a spoofed email from 1@mycompany.com Exchange does not appear to check the SPF as it doesn't get moved to Junk.
The environment is Exchange 2013 with two SPF records one on the external DNS and one on the internal with some extra IP's so printers etc can function. The internal record was necessary because both the internal domain and external are the same. nslookup on the exchange servers shows the text record for mydomain.com
v=spf1 include:spf.hes.trendmicro.com -all
v=spf1 ip4:10.0.0.1/16 ip4:$external include:spf.hes.trendmicro.com -all
The exchange SenderIdConfig is as below
RunspaceId : e71ca342-a96a-4af4-a278-e423c3952af9
SpoofedDomainAction : StampStatus
TempErrorAction : StampStatus
BypassedRecipients : {}
BypassedSenderDomains : {}
Name : SenderIdConfig
Enabled : True
ExternalMailEnabled : True
InternalMailEnabled : False
I have tested with InternalMailEnabled set to $true but that doesn't seem to help and frankly I'm running out of ideas as to whats going on here.
If anyone is interested or if it makes any difference I'm spoofing the messages using mutt on my own webserver so definitely not covered by the SPF records in any way and the reason I'm trying to do this is that a scammer managed to spoof their way to almost getting some financial info from one of our accountants by pretending to be the CEO.
If anyone can provide some advice on what I can change or where I can look for more info on whats happening to the messages I would be much obliged.