Agent Foskett Academy • Lesson 64 • Email Investigation

Investigating SenderMailFromDomain in Microsoft Defender XDR.

The email appeared to come from a trusted company.

The sender looked legitimate.

The branding matched perfectly.

Yet Agent Foskett noticed something unusual.

The domain displayed to users was not the same domain used during message delivery.

Hidden behind the email was another domain entirely.

In Microsoft Defender XDR, SenderMailFromDomain helps investigators identify the SMTP domain used during mail delivery, making it valuable for SPF analysis, spoofing investigations and phishing detection.

Agent Foskett Academy lesson explaining SenderMailFromDomain in Microsoft Defender XDR
Lesson overview

Learn how to investigate the SMTP envelope sender domain in EmailEvents and compare it with the domain shown to users.

Review SenderMailFromDomain evidence
Compare visible and SMTP domains
Investigate spoofing and phishing attempts
Support SPF and DMARC investigations

Why SenderMailFromDomain matters

SenderFromDomain shows the domain visible to the recipient. SenderMailFromDomain helps reveal the SMTP domain used behind the scenes during message transport.
It identifies the SMTP domainSenderMailFromDomain records the envelope sender domain used during message transport.
It exposes domain mismatchComparing SenderFromDomain and SenderMailFromDomain can reveal spoofing, impersonation and mail flow anomalies.
It supports SPF analysisSPF and DMARC investigations often depend on understanding the technical sender domain behind the visible From domain.

The fields used in this lesson

These fields help defenders compare what the user saw with the SMTP domain the mail system actually processed.
SenderMailFromDomainThe SMTP envelope sender domain used during mail delivery.
SenderFromDomainThe visible sender domain displayed to the recipient.
SenderMailFromAddressThe SMTP envelope sender address used during message transport.
AuthenticationDetailsSPF, DKIM, DMARC and composite authentication evidence associated with the message.
ThreatTypesMicrosoft's threat classification, such as phishing, malware, spam or spoofing.
DeliveryActionThe action Microsoft 365 applied to the email during delivery and filtering.

Step 1 — Review SenderMailFromDomain activity

Start by reviewing recent messages where Defender recorded an SMTP envelope sender domain.
review-sendermailfromdomain.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderMailFromDomain)
| project Timestamp,
          SenderFromDomain,
          SenderMailFromDomain,
          RecipientEmailAddress,
          Subject
| order by Timestamp desc

Step 2 — Compare visible and SMTP domains

This query highlights messages where the visible sender domain differs from the SMTP envelope sender domain.
senderfromdomain-vs-sendermailfromdomain.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderMailFromDomain)
| where SenderFromDomain != SenderMailFromDomain
| project Timestamp,
          SenderFromDomain,
          SenderMailFromDomain,
          Subject
| order by Timestamp desc

Step 3 — Review top SMTP domains

Summarising SenderMailFromDomain helps identify high-volume envelope sender domains and unusual sending behaviour.
top-sendermailfromdomain.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderMailFromDomain)
| summarize MessageCount = count() by SenderMailFromDomain
| order by MessageCount desc

Step 4 — Investigate threats by SMTP domain

Threat classifications become more useful when compared with the visible sender and the envelope sender.
sendermailfromdomain-threattypes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatTypes)
| project Timestamp,
          SenderFromDomain,
          SenderMailFromDomain,
          ThreatTypes,
          DeliveryAction,
          Subject
| order by Timestamp desc

Step 5 — Investigate authentication issues

Authentication failures should be reviewed with both visible and SMTP sender evidence.
sendermailfromdomain-authentication-failures.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where AuthenticationDetails contains "fail"
| project Timestamp,
          SenderFromDomain,
          SenderMailFromDomain,
          AuthenticationDetails,
          Subject
| order by Timestamp desc

Step 6 — Compare domain relationships

This helps defenders find repeated mismatches between the visible sender domain and the SMTP envelope sender domain.
sender-domain-pairs.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
EmailEvents
| where Timestamp > ago(30d)
| summarize MessageCount = count()
          by SenderFromDomain,
             SenderMailFromDomain
| order by MessageCount desc

How to read the results

SenderMailFromDomain is mail transport evidence. It should be interpreted with the visible sender domain, authentication results and delivery outcome.
The user sees SenderFromDomainThe visible sender may look familiar, trusted or internal even when the envelope sender tells a different story.
The mail system sees SenderMailFromDomainThe SMTP envelope sender domain is important for SPF, mail delivery and many authentication investigations.
Mismatch is investigation contextA mismatch does not automatically mean malicious activity, but it should be explained before closing the case.

Common investigation uses

SenderMailFromDomain helps defenders understand whether the visible sender domain and the SMTP sender domain align.
Email spoofingCompare visible sender domains against the SMTP envelope sender domain used during delivery.
SPF troubleshootingUnderstand which sender domain may have been evaluated during SPF checks.
DMARC analysisReview sender alignment between visible From domains, Mail From domains and authentication results.

Common mistakes

SenderMailFromDomain is often missed because defenders focus only on what the user saw.
Assuming visible means realThe address shown to users may not be the same address used during SMTP delivery.
Ignoring mail flow identitiesAuthentication and delivery behaviour often depend on technical sender identities that are not obvious to users.
Skipping SPF contextAlways compare SenderMailFromDomain with AuthenticationDetails, SenderFromDomain, SenderMailFromAddress and DeliveryAction.
The visible domain was only part of the message.
Use SenderMailFromDomain to investigate the SMTP domain behind the email and determine whether the sender identity makes sense.
Back to Academy →

What you learned

SenderMailFromDomain identifies the SMTP domainIt helps defenders review the envelope sender domain used during message transport.
Sender domain mismatch mattersComparing SenderFromDomain and SenderMailFromDomain can expose spoofing, phishing and authentication issues.
Authentication needs domain contextSPF, DKIM, DMARC and composite authentication make more sense when sender domains are understood.

Related Agent Foskett Academy lessons

Investigating SenderMailFromAddressReview the SMTP envelope sender address behind email messages.
Investigating SenderIPv4Review IPv4 sender infrastructure behind suspicious email messages.
Investigating SenderIPv6Review IPv6 sender infrastructure behind suspicious email messages.
Investigating AuthenticationDetailsReview SPF, DKIM, DMARC and composite authentication outcomes.
Investigating EmailAuthenticationResultsUnderstand email authentication evidence in Defender XDR.
Investigating ThreatTypesReview Microsoft threat classifications such as phishing, malware and spoofing.
Investigating DeliveryActionUnderstand what Microsoft 365 did with the message during delivery.
Investigating OrgLevelActionReview organisational policy actions applied to suspicious messages.
Investigating NetworkMessageIdConnect the same email across URL, click and attachment telemetry.

Coming next

Lesson 65 — Investigating BulkComplaintLevel in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use BulkComplaintLevel to investigate bulk mail classifications, sender reputation and suspicious campaign activity.
Why this mattersSenderMailFromDomain reveals the SMTP sender domain. BulkComplaintLevel helps explain how Microsoft assessed bulk mail behaviour and complaint risk.
What you will learn nextLearn how BCL evidence supports bulk mail, sender reputation, phishing and email filtering investigations.

Final thought

The visible sender domain at the top of the email is not always the full sender story.
Agent Foskett mindsetDo not stop at the domain the user saw. Follow the SMTP sender domain behind the message.
Read the SMTP domainSenderMailFromDomain turns a visible sender investigation into a domain alignment investigation.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating SenderMailFromDomain in Microsoft Defender XDR

Agent Foskett Academy Lesson 64 teaches defenders how to investigate SenderMailFromDomain during Microsoft Defender XDR email investigations.

Learn SMTP sender domain investigation in Defender XDR

This lesson explains how SenderMailFromDomain, SenderFromDomain, SenderMailFromAddress, AuthenticationDetails, ThreatTypes and DeliveryAction help defenders investigate spoofing, phishing and email authentication issues.