The TreatSoftPassAsAuthenticated parameter specifies whether or not to respect the composite authentication softpass result. Valid values are:
$true: This is the default value.
$false: Only use this value when you want to enable more restrictive antispoofing filtering, because this value might cause false positives.
Note: This parameter corresponds to the Strict filtering value in the Office 365 admin center.
This then made me wonder about composite authentication and what a softpass is.
While SPF, DKIM, and DMARC are all useful by themselves, they don’t communicate enough authentication status in the event a message has no explicit authentication records. Therefore, Microsoft has developed an algorithm that combines multiple signals into a single value called Composite Authentication, or compauth for short. Customers in Office 365 have compauth values stamped into the Authentication-Results header in the message headers.
Authentication-Results: compauth=<fail|pass|softpass|none> reason=<yyy>
|fail||Message failed explicit authentication (sending domain published records explicitly in DNS) or implicit authentication (sending domain did not publish records in DNS, so Office 365 interpolated the result as if it had published records).|
|pass||Message passed explicit authentication (message passed DMARC, or Best Guess Passed DMARC) or implicit authentication with high confidence (sending domain does not publish email authentication records, but Office 365 has strong backend signals to indicate the message is likely legitimate).|
|softpass||Message passed implicit authentication with low-to-medium confidence (sending domain does not publish email authentication, but Office 365 has backend signals to indicate the message is legitimate but the strength of the signal is weaker).|
|none||Message did not authenticate (or it did authenticate but did not align), but composite authentication not applied due to sender reputation or other factors.|
So essentially, a pass is softpass is when there are no DMARC records, but Office 365 is pretty sure that this domain is the appropriate sender. A pass is when either a DMARC record is published and it passes, or Microsoft is very sure the email is legitimate.
By default, softpass is not marked as junk. I agree with this setting, but wish pass would only be for 100% DMARC passes or an even higher level that was for 100% DMARC passes, maybe called hardpass. It’s relatively easy to find if DMARC passed in a message header, so not the end of the world, but I’m not a fan of giving a result of algorithmic learning the same level of certainty as a though-out, intentionally written, record.
Do you agree with Microsoft’s default here? Do you think there should be another level of pass?