The following headers can be used to filter email messages. A typical use case would be to create transport or mail flow rules to disposition the messages based on the criteria.
Headers are always included with the messages, and the same triggers that apply to these headers have in message body banners also. However, in the message body banners can be disabled by the admin, and may not be visible for every end user. The message headers cannot be disabled and are ideal for triggering quarantine actions in message rules on your email server.
Example mail flow rules for Office 365.
External Messsage Banner
Triggered when an email comes from an external domain. This is probably the simplest example and adds to the existing functionality of services like Office 365. The message is not only tagged as external but the sending domains are incorporated into the warning displayed to the end user:
Triggered when an email is sent from a domain that closely matches your own internal domain. This is flagged as red, as it is more than likely a phishing attempt. This rule may trigger (but can be whitelisted) if you have multiple legitimate top level domains that are on different extensions, like .com and .net.
Triggered when an email is trying to impersonate the Friendly From: with a name of a user in the organization.
Triggered is an email from a server that the sender's IP is not listed in the SPF record for the sending domain. It could be a misconfiguration or a spoofing attempt.
Triggered is an email from a server not listed in your domains SPF record and your SPF record is set to ~all rather than -all. This means that you are receiving emails from your own domain, from a set of servers not explicitly permitted by your SPF policy. This may be spoofing, but because of the SPF policy, we are not rejecting the email.
Triggered when an email is classified as spam. Typically this would trigger a subject line prepend *SPAM* however, depending on the configuration of your account, the Subject line change may not be present. The header will always be there if the message is classified as spam.