Investigating AuthenticationDetails in Microsoft Defender XDR.
The email looked legitimate.
The sender appeared trusted.
The domain matched the company name.
Yet something still felt wrong.
Agent Foskett needed to understand how Microsoft evaluated the message.
Did SPF pass? Did DKIM validate? Did DMARC succeed?
In Microsoft Defender XDR, AuthenticationDetails helps defenders review SPF, DKIM, DMARC and composite authentication results during email investigations.
Lesson overview
Learn how to investigate email authentication evidence and use AuthenticationDetails to understand SPF, DKIM, DMARC and composite authentication outcomes.
Why AuthenticationDetails matters
The fields used in this lesson
Step 1 — Review AuthenticationDetails
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
EmailEvents | where Timestamp > ago(30d) | where isnotempty(AuthenticationDetails) | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, AuthenticationDetails | order by Timestamp desc
Step 2 — Search for DMARC failures
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
EmailEvents | where Timestamp > ago(30d) | where AuthenticationDetails contains "dmarc=fail" | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, AuthenticationDetails | order by Timestamp desc
Step 3 — Search for SPF failures
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
EmailEvents | where Timestamp > ago(30d) | where AuthenticationDetails contains "spf=fail" | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, AuthenticationDetails | order by Timestamp desc
Step 4 — Search for DKIM failures
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
EmailEvents | where Timestamp > ago(30d) | where AuthenticationDetails contains "dkim=fail" | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, AuthenticationDetails | order by Timestamp desc
Step 5 — Review failed authentication with threat context
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
EmailEvents | where Timestamp > ago(30d) | where AuthenticationDetails contains "fail" | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, ThreatTypes, AuthenticationDetails, DeliveryAction | order by Timestamp desc
Step 6 — Compare authentication patterns
- 1
- 2
- 3
- 4
- 5
- 6
- 7
EmailEvents | where Timestamp > ago(30d) | where isnotempty(AuthenticationDetails) | summarize MessageCount = count() by AuthenticationDetails | order by MessageCount desc
