The default setting for this field is "Header".

According to Microsoft documentation, this will "Only examine senders in the message headers (for example, the From, Sender, or Reply-To fields)."

It is also possible to set this to "Envelope" - which has this difference: "Only examine senders from the message envelope (the MAIL FROM value that was used in the SMTP transmission, which is typically stored in the Return-Path field). "

Because a lot of service-provider generated emails (like those from vendors such as Salesforce, or Wolken, or ServiceNow) preserve the envelope data (visible via the "Return-Path" field in any Header Analyzer tool), it is possible to set the Transport Rule in O365 to look at that field instead.

As a customer, you can choose which option works best:

1. Create an additional Transport Rule that will route spoofed email messages to a different path that skips DLP - use the "Match sender address in message" option to identify messages where the Envelope matches the specific domains in the "Return-Path": e.g., "*.salesforce.com"
   
   • Set this rule to be of a higher priority that the DLP Transport Rule, so the spoofed messages are sent via different Connector(s).
2. Make your default Transport Rule use the "Match sender address in message" option to apply to messages where the Envelope matches the specific domains you have configured for DLP content inspection.
   • Only messages originating from your domain will fall under this rule. Spoofed messages will fall to a lower priority rule for sending via different Connector(s).