Why external emails look like they’re from your own staff
Emails appearing to come from trusted colleagues but arriving from outside your business is more common than you’d think. Here’s what’s usually behind it.
By The Dragon Digital team ·
Imagine opening your inbox and seeing an email from a trusted colleague — except it came from somewhere outside your business entirely. Your authentication records are all in order, yet it still got through. Unsettling, right?
This is something we’ve seen crop up in Microsoft 365 environments, and it catches a lot of business owners off guard. An email claims to be from someone inside your organisation, but the server that actually sent it is external. SPF, DKIM, and DMARC (the three main email authentication checks) should stop this sort of thing — but sometimes they don’t, and there’s usually a straightforward reason why.
The most likely culprit
More often than not, this isn’t a sophisticated attack. It’s a legitimate system that’s been quietly mis-configured. A few common causes we see:
- A printer, scanner, or legacy system sending alerts using your domain name but not authenticating properly
- A third-party app — accounting software, a CRM, or a backup tool — relaying emails without the right credentials
- A shared mailbox or distribution list with forwarding rules that nobody has reviewed in years None of these are malicious by themselves, but they create a gap that a real attacker could walk through.
How to get to the bottom of it
The best starting point is the message trace tool in Exchange Online. Pull up the full email headers and look at the path the message actually took to reach you — you’ll usually spot an unexpected server hop fairly quickly.
From there, check forwarding rules on shared mailboxes and any third-party integrations. If a device or application is sending mail on behalf of your domain, it needs to be authenticated properly, either through SMTP AUTH or a dedicated connector set up in Microsoft 365.
It’s also worth reviewing your DMARC policy. If it’s set to “none”, it’s effectively just watching and doing nothing. Setting it to “quarantine” or “reject” means unauthenticated messages get blocked or filtered before they land in anyone’s inbox.
Worth a proper look
If you’re not sure whether your Microsoft 365 email setup is as tight as it should be, it’s worth finding out. These things tend to build up gradually — a printer added here, a new app integrated there — and before long you’ve got a handful of systems that nobody’s checked in years.
We’re happy to take a look at your setup and make sure everything is sorted. No jargon, no drama — just peace of mind that your email defences are doing their job. Give us a shout.
Could your business use a hand with its IT?
We provide managed IT support, cyber security and more to businesses across North Wales.
Related guides
- Cybersecurity
Android Microsoft 365 apps needed urgent patching, is yours up to date?
A debug flag left on in six Microsoft 365 Android apps let other apps silently steal login tokens. The patch is out, here’s what to check.
- Microsoft 365
Microsoft 365 is changing in June, what you need to do
Microsoft is retiring standalone OneDrive plans, Teams Live Events, and tweaking how some email and sync access works. Here’s what matters for your business.
- Microsoft 365
Microsoft Exchange Online email delays: what happened and what to do
On 2 June, Microsoft 365 email ground to a halt globally, with messages queuing for over an hour. Here’s what caused it and what to check in your account.