Allowed domains SHALL NOT be added to inbound anti-spam protection policies.

Why This Matters

Allowing specific domains in inbound anti-spam policies bypasses Microsoft's filtering for emails from those domains. This can let malicious emails from supposedly trusted domains reach users' inboxes, increasing the risk of phishing and malware attacks.

What Aether365 Checks

Aether365 verifies that no domains are configured as allowed domains in any inbound anti-spam protection policy. This check appears in the Aether365 dashboard under microsoft-365 checks as item CISA.MS.EXO.14.3.