1. Diagnosis and Required Information

The quarantine details indicate that the email was blocked by the Office365 AntiPhish Default policy with the reason Phish / Spoof DMARC. This often occurs when a legitimate internal or third-party service sends an email on behalf of your domain but fails Microsoft 365's authentication checks (SPF, DKIM, or DMARC).

To create the correct exclusion, you need two pieces of information from the quarantine report:

DetailField in ReportValue from Example
Spoofed Sender AddressSender addressitsupport@cyp.org.au
Sending InfrastructureSender IP203.44.156.236

2. Recommended Solution: Tenant Allow/Block List (Spoofed Senders)

The most targeted way to allow a legitimate spoofed sender is by adding the specific sender/infrastructure pair to the Tenant Allow/Block List in the Microsoft 365 Defender portal.

Step A: Access the Tenant Allow/Block List

  1. Sign in to the Microsoft 365 Defender portal (https://security.microsoft.com) as a Security Administrator.

  2. Navigate to Email & collaboration > Policies & rules > Threat policies.

  3. Select Tenant Allow/Block Lists.

  4. Go to the Spoofed senders tab.

  5. Click Add.

Step B: Populate the "Add new domain pairs" Form

Use the data gathered in Step 1 to fill out the form (as shown in your screenshot):

Form FieldSelection/InputExplanation
Add domain pairs with wildcardsitsupport@cyp.org.au, 203.44.156.236The first value is the Spoofed User (sender email), and the second is the Sending Infrastructure (Sender IP). They must be separated by a comma.
Spoof typeExternalThe message is coming from an external IP (203.44.156.236) but is spoofing your internal domain (cyp.org.au).
ActionAllowThis tells the policy to permit delivery of messages matching this pair.

Example Input for the Text Box:

codeCode
itsupport@cyp.org.au, 203.44.156.236

  1. Click Add to save the exclusion.

3. Alternative Solution: Mail Flow Rule (Transport Rule)

If the Tenant Allow/Block List is not an option or doesn't work, you can create a Mail Flow Rule in the Exchange Admin Center to bypass anti-phishing protection for the specific sender IP.

  1. Sign in to the Exchange Admin Center (EAC).

  2. Go to Mail flow > Rules.

  3. Click Add a rule and select Create a new rule...

  4. Set Conditions:

    • Under Apply this rule if... select: The sender > IP address is in any of these ranges or exactly matches.

    • Enter the Sender IP: 203.44.156.236 and add it.

  5. Set Action:

    • Under Do the following... select: Modify the message properties > set a message header.

    • Set the message header to: X-Forefront-Antispam-Report

    • Set the value to: SFV:SKI;CAT:NONE; (This instructs the filtering engine to skip anti-spam/phishing checks).

  6. Save the rule.

4. Important Security Note (Long-Term Fix)

Relying on security exclusions is a workaround. For the most secure and reliable long-term solution, you should address the root cause: the failed email authentication.

The report shows:

  • DMARC: Fail

  • SPF: Soft fail

  • DKIM: None

You should contact your hosting provider or the administrator of the 203.44.156.236 IP to ensure:

  1. Your domain's SPF record for cyp.org.au is updated to explicitly include the sending IP address 203.44.156.236.

  2. DKIM signing is properly configured and enabled for this sending service.

Fixing the authentication will allow the messages to pass DMARC/SPF/DKIM checks, eliminating the need for the security exclusion.