Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-03-19

The Sender ID agent is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail is sent. Sender ID validates the origin of e-mail by verifying the IP address of the sender against the purported owner of the sender domain.

This topic explains how to use the EMC or the Shell to configure Sender ID.

Note:
Sender ID is part of the suite of anti-spam features in Exchange. The anti-spam features are only available on Edge Transport servers by default. You can enable anti-spam features on a Hub Transport server even though it isn't recommended. To learn more about enabling anti-spam features on a Hub Transport server, see Enable Anti-Spam Functionality on a Hub Transport Server. The procedures listed in this topic are for configuring anti-spam functionality on an Edge Transport server, but the process is identical on Hub Transport servers.

What Do You Want to Do?

Use the EMC to configure Sender ID action for spoofed messages

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" entry in the Transport Permissions topic.

  1. In the console tree, click Edge Transport.

  2. In the result pane, click the Edge server you want to configure and then select the Anti-spam tab in the work pane.

  3. Right-click Sender ID and then select Properties.

  4. The General tab displays the following information about the Sender ID feature.

    • Status   Shows whether the Sender ID feature is enabled or disabled.

    • Modified   Shows the date and time when Sender ID properties were last modified.

    • Description   Provides a brief description of the Sender ID feature.

  5. Use the Action tab on the Sender ID properties to configure Sender ID to take one of the following actions when Sender ID determines that a message is spoofed or when a transient error is returned.

    • Reject message   To reject the message and send a SMTP error response to the sending server, select Reject message. The SMTP error response is a 5xx level protocol response with text that corresponds to the Sender ID status.

    • Delete message   To delete the message without informing the sending server of the deletion, select Delete message. The Edge Transport server sends a fake "OK" SMTP command to the sending server and then deletes the message.

    • Stamp message with Sender ID result and continue processing   To stamp the message with the Sender ID status, select this option. This metadata is evaluated by the Content Filter agent when a spam confidence level (SCL) is calculated. This setting is the default option for Sender ID properties.

Use the Shell to configure Sender ID

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" entry in the Transport Permissions topic.

You use the Set-SenderIDConfig cmdlet to configure Sender ID options and actions. Although the EMC only allows you to configure actions for messages that are spoofed, you can also configure actions for transient failures using the Shell. For example, it's considered a transient error if a DNS server is unavailable when Exchange attempts to verify the Sender ID for a sending domain. Another thing you can only do in the Shell is to configure exceptions for specific sending domains or recipients. The following sections provide examples of how you can use the Set-SenderIDConfig cmdlet to accomplish these various tasks.

Use the Shell to configure Sender ID action for spoofed messages

The following example configures the Sender ID agent to reject any messages that were spoofed. These are messages where the IP address of the sending server isn't listed as an authoritative SMTP sending server in the DNS Sender Policy Framework record for the sending domain.

Copy Code
Set-SenderIDConfig -SpoofedDomainAction Reject

For detailed syntax and parameter information, see Set-SenderIdConfig.

Use the Shell to configure Sender ID action for transient errors

The following example configures the Sender ID agent to stamp the messages for which the Sender ID status can't be determined due to a temporary error. The message will be processed by other anti-spam agents and the Content Filter agent will use the mark when determining the SCL value for the message.

Copy Code
Set-SenderIDConfig -TempErrorAction StampStatus

For detailed syntax and parameter information, see Set-SenderIdConfig.

Use the Shell to configure recipient and sender domain exceptions

The following example configures the Sender ID agent to bypass the Sender ID check for the specific recipients kim@contoso.com and john@contoso.com:

Copy Code
Set-SenderIDConfig -BypassedRecipients kim@contoso.com,john@contoso.com

The following example configures the Sender ID agent to bypass the Sender ID check for messages that are received from the specific domain fabrikam.com.

Copy Code
Set-SenderIDConfig -BypassedSenderDomains fabrikam.com

The values that you specify by using the parameters shown in the examples in this section replace the existing list of exceptions. To preserve the existing list of recipients or sender domains, you could specify the existing values along with any new exceptions you want to add. However, this can be a cumbersome task especially if you have many recipients or domains for which you want to bypass Sender ID checking. Instead, you can use a temporary Shell variable to add a recipient or domain to the exceptions list. The following example uses the temporary variable $Configuration to add the domain tailspintoys.com to the list of domains for which you want to bypass Sender ID check:

Copy Code
$Configuration = Get-SenderIDConfig
$Configuration.BypassedSenderDomains += "tailspintoys.com"
Set-SenderIDConfig -BypassedSenderDomains $Configuration.BypassedSenderDomains

For detailed syntax and parameter information, see Set-SenderIdConfig.