Hello, MessageLabs support,
I recently noticed the following problem:
A fake e-mail message from "Microsoft", which had neither passed the SPF nor the DMARC test on MessageLabs,
was finally transferred thanks to the "Approved Senders" entry for microsoft.com.
So far we have always assumed the opposite with the "Approved Senders":
A verified user (SPF ok, DMARC ok) is mistakenly recognized as SPAM and can finally via Approved Sender be unlocked.
The order of the checks should be as follows:
SPF ok -> DMARC ok -> Approved senders -> message is sent
Now the logical order is:
SPF not ok -> DMARC not ok -> Allowed senders ok (but fake) -> message is sent
Approved transmitters are currently overriding both SPF and DMARC, which can be very dangerous.
The improvment for MessageLabs, would be some kind of switch in order to change the default behaviour from the logical order.
Best regards