The following headers can be used to filter email messages. A typical use case would be to create transport rules to disposition the messages based on the criteria. Headers will trigger an in message warning as well as the headers for filtering.
An example if the domainimp flag is present, route the email to an admin quarantine and alert the admin to review and release if safe.
Triggered when an email comes from an external domain. This is probably the simplest example and adds to the existing functionality of services like Office 365. The message is not only tagged as external, but the sending domains are incorporated into the warning displayed to the end user:
Triggered when an email is trying to impersonate the Friendly From: with a name of a user in the organization.
Triggered is an email from a server that the sender's IP is not listed in the SPF record for the sending domain. It could be a misconfiguration or a spoofing attempt.
Triggered is an email from a server that is not listed in your domains SPF record and your SPF record is set to ~all rather than -all. This means that you are receiving emails from your own domain, from a set of servers not explicitly permitted by your SPF policy. This may be spoofing, but because of the SPF policy we are not rejecting the email.
Triggered when an email is sent from a domain that closely matches your own internal domain. This is flagged as red, as it is more than likely a phishing attempt. This rule may trigger (but can be whitelisted) if you have multiple legitimate top level domains that are on different extensions, like .com and .net.