Last update: June, 28th 2022
Microsoft does not take any action in case of an SPF fail. Set up a stricter processing on EOP for a better protection.
SPF, or Sender Policy Framework, is a method to validate that an email may be sent from a specific domain (from declared host or IP).
When the IP address of a sender and their SPF don't match (SPF fail, TempError or PermError), their emails still end up in your inbox by default. For a better protection when receiving an email, you can choose to set up a stricter filtering method by updating your filtering policy.
Sending message to Junk folder
1. Log in to Microsoft 365 Defender.
2. Go to Policies & rules > click Threat policies > Anti-spam.
3. Click on Anti-spam inbound policy (Default).
4. In section Bulk email threshold & spam properties click on Edit spam treshold and properties.
5. Turn the SPF record: hard fail toggle on and click Save.
After a few minutes, your emails will be moved to junk folder whenever the IP address and the SPF don't match.
Strict reject
If you want to respect the SPF RFC, a reject must be made if there's a PermError or a SPF fail result. To be strict on such result, you have to add a mail flow.
1. Log in to Microsoft 365 admin center and click Show all > Exchange in the left menu.