Add a Trusted ARC Sealer to Microsoft 365 for SPF Failures

Created by Jason Carreiro, Modified on Wed, 19 Apr, 2023 at 5:41 PM by Jason Carreiro


Situation:


The following article below applies to the following O365 package platforms:


  • Exchange Online Protection
  • Microsoft Defender for Office 365 plan 1 and plan 2
  • Microsoft 365 Defender

Email authentication mechanisms like SPFDKIMDMARC are used to verify the senders of emails for the safety of email recipients, but some legitimate services may make changes to the email between the sender and recipient. In Microsoft 365 Defender, ARC will help reduce SPF, DKIM, and DMARC delivery failures that happen due to legitimate indirect mailflows. The same can be said for email delivery from ProofPoint Essentials to O365 tenants inbound emails.


By adding a trusted ARC sealer, Office 365 validates and trusts the authentication results that the sealer provides when delivering mail to your tenant in Office 365. 



Solution:


Administrators should add only legitimate services as trusted ARC sealers. Adding only services the organization expressly uses and knows will help messages that must first go through a service to pass email authentication checks, and prevent legitimate messages from being sent to Junk due to authentication failures. 


Trusted ARC sealers in Microsoft 365 Defender portal shows all the ARC sealers acknowledged by and added to your tenant. 


To add a new Trusted ARC sealer in the Microsoft 365 Defender portal: 


1- In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies.




2- Under Threat Policies go to Email Authentication Settings in the Rules section.



3- In this section select the ARC tab on the page.



4- If this is the first time you've added a trusted ARC sealer, click the Add button.



5- The domain name you enter here must be a match to the domain shown in the domain 'd' tag in ARC-Seal and ARC-Message-Signature headers (on the email headers for the message). The header extraction can be obtained from the following header analyzer site https://mha.azurewebsites.net



6- Add trusted ARC sealers in the textbox shown as indicated in step 5 above and click Save.