Understanding how Exchange Transport Rules work on the Sender
One of the more powerful features in Exchange Online Protection (EOP) are Exchange Transport Rules, also known as ETRs. These have a variety of functionality but the one I want to focus on is how they operate on the sender of a message.
The following web pages describes the predicates of an ETR, that is, the parts of a message that you can conditionally look for:
One of the predicate names is "The Sender Is" whose name in Powershell is "From." The description is "From matches messages sent by the specified mailboxes, mail-enabled users, or contacts."
This can be a little confusing because in email, the message sender can refer to multiple things:
The sender in the 5321.MailFrom, sometimes referred to as the P1 From
The sender in the 5322.From, the one that shows up in your email client, sometimes referred to as the Display From:, or Message From:.
The Sender: header which is inserted when email is sent on behalf of another, depending on the email client
The Reply-To field, for when users click “Reply” the messages goes to this email address rather than any of the above ones
Give that there are so many possible “Senders”, which one does the “From” predicate match?
The answer is that it matches the 5322.From header.
It does not match either the 5321.MailFrom, the Sender: header or the Reply-To. This is different than user-level safe senders which match the 5321.MailFrom header. For more details on that, I go into more details in these two articles:
How to use safe senders in EOP and FOPE
Why do safe senders in EOP and FOPE operate on the 5321.MailFrom instead of the 5322.From address?
How do you write an ETR on the 5321.MailFrom? You write it on the Return-Path header. This header is stamped by the mail server when it receives a message and it is available for scanning in the Transport Rule engine.
To do this in Powershell:
New-TransportRule "Safe Sender ETR for Return-Path" -HeaderContainsMessageHeader "Return-Path" -HeaderContainsWords "user@example.com" -SetHeaderName "X-ETR-Safe-Sender-Return-Path" -SetHeaderValue "user@example.com" -SetSCL -1
To do this using the Exchange Admin Center, navigate to Admin –> Exchange –> mail flow –> rules –> create new rule (click the + sign):
What this does is bypass filtering if the 5321.MailFrom is user@example.com and stamps the header X-ETR-Safe-Sender-Return-Path: user@example.com for troubleshooting if someone ever gets spam from this sender. They will know that it was an ETR that acts as a safe sender on the Return-Path header. Adding this header is not necessary but I like to do it because I have a tendency to forget what ETRs I have created in the past.
The above is how ETRs operate on the From: address and how to operate on the 5321.MailFrom address.