The following headers can be used to filter email messages. A typical use case would be to create transport rules to disposition the messages based on the criteria. Headers will trigger an in message warning as well as the headers for filtering.

An example if the domainimp flag is present, route the email to an admin quarantine and alert the admin to review and release if safe. 

X-PhishProtection-Warning: external_sender

Triggered when an email comes from an external domain. This is probably the simplest example and adds to the existing functionality of services like Office 365. The message is not only tagged as external, but the sending domains are incorporated into the warning displayed to the end user:

X-PhishProtection-Warning: senderspoof
X-PhishProtection-Warning: senderimp 

Triggered when an email is trying to impersonate the Friendly From: with a name of a user in the organization. 

X-PhishProtection-Warning: spf_soft_fail 

Triggered is an email from a server that the sender's IP is not listed in the SPF record for the sending domain. It could be a misconfiguration or a spoofing attempt.

X-PhishProtection-Warning: spf_soft_fail_self

Triggered is an email from a server that is not listed in your domains SPF record and your SPF record is set to ~all rather than -all. This means that you are receiving emails from your own domain, from a set of servers not explicitly permitted by your SPF policy. This may be spoofing, but because of the SPF policy we are not rejecting the email. 

X-PhishProtection-Warning: domainimp

Triggered when an email is sent from a domain that closely matches your own internal domain. This is flagged as red, as it is more than likely a phishing attempt. This rule may trigger (but can be whitelisted) if you have multiple legitimate top level domains that are on different extensions, like .com and .net.