If you configured your SpamHero account prior to January 2023, you may have followed older setup instructions that suggested adding a mail transport rule (now commonly referred to as a mail flow rule). It was later discovered that this rule could cause unintended side effects in certain Microsoft 365 workflows.

Symptoms and problems

• Forwarded calendar invitations fail to deliver
• Internally forwarded messages are treated as external
• Message recall notifications are quarantined

Why this happens

Our older Microsoft 365 configuration instructions suggested using a mail transport rule (now called a mail flow rule in the Microsoft 365 control panel) to block messages that were not filtered by SpamHero.

That rule works by assuming that any message which appears to come from outside the organization should be treated as external mail and blocked or quarantined unless it originated from SpamHero's delivery IPs.

However, Microsoft 365 sometimes generates messages internally — such as forwarded calendar invitations, meeting updates, and message recall notifications — that still retain the original external sender address.

Although these messages are created and authenticated inside Microsoft 365, the transport rule misclassifies them as external mail and blocks or quarantines them, even though they never entered Microsoft 365 from the outside.

Solution

It is recommended that you remove the old "Inbound SpamHero" mail flow rule and instead use a Microsoft 365 connector to restrict inbound delivery at the SMTP level.

• First, add the new Microsoft 365 connector rule
   
  Following the instructions in this article:
  Locking down Microsoft 365 / Office 365 to only accept mail from SpamHero
   
• Next, remove the old Inbound SpamHero transport rule
  Here's an overview of how to remove the old transport rule:
   
  1. Go to the Exchange admin center
  2. Navigate to Mail flow > Rules
  3. Locate any rule intended to restrict inbound mail to SpamHero IPs
     • The original instructions suggested calling the rule "Inbound SpamHero"
  4. Disable the rule
  5. Monitor mail flow briefly to confirm normal delivery
  6. Once confirmed, delete the rule

Alternative workaround (fixing the rule)

This approach isn't officially supported by SpamHero, but has been reported to work for customers who prefer to keep an existing mail flow rule. You can update the "Inbound SpamHero" rule so that it applies only to unauthenticated external messages.

The rule must include both conditions:

• The sender is located NotInOrganization
• AND the message header X-MS-Exchange-Organization-AuthAs contains Anonymous

This should ensure that the rule applies only to truly external messages and not to internally generated mail.