Enhanced Filtering for Connectors: SPF failures in Defender for Office 365

Thu, 04 Jun 2026 08:15:02 +0000

Enhanced Filtering for Connectors¹ (aka skip listing) lets Exchange Online and Defender for Office 365 see the actual sender IP address instead of only the last hop. This is required so that MDO can verify message authentication attributes such as SPF, DMARC, and DKIM. Microsoft recommends it in its guides for third party mail flows² ³ to get the full value out of MDO.

Without enhanced filtering, MDO only sees your 3rd party gateway as the sender for incoming e-mails. As a result, you lose important sender metadata, which degrades your experience in Threat Explorer, Advanced Hunting, and the Tenant Allow/Block List.

The mail flow in the environment roughly looks like this, with the 3rd party gateway acting as the MX for inbound mail and as the smart host for outbound mail. Exchange Online is connected to an on-premises Exchange server via the hybrid connector:

flowchart LR
 Internet([Internet])
 Gateway[3rd Party
Mail Gateway
MX record]
 EXO[Exchange Online
Defender for Office 365]
 OnPrem[On-Premises
Exchange Server]

 %% Inbound flow
 Internet --> Gateway
 Gateway -- "Partner connector
+ Enhanced Filtering" --> EXO
 EXO -- "Hybrid connector" --> OnPrem

 %% Outbound flow
 OnPrem -. "Hybrid connector
+ Enhanced Filtering" .-> EXO
 EXO -. "Partner connector" .-> Gateway
 Gateway .-> Internet

 classDef cloud fill:#e6f2ff,stroke:#0078d4,color:#000
 classDef onprem fill:#fff4e6,stroke:#d97706,color:#000
 classDef gw fill:#f3e8ff,stroke:#7c3aed,color:#000
 class EXO cloud
 class OnPrem onprem
 class Gateway gw

Following the Microsoft recommendation, enhanced filtering was enabled on both the 3rd party connector and the Exchange hybrid connectors.

MDO on Nicola Suter

Enhanced Filtering for Connectors: SPF failures in Defender for Office 365