0

We use a email setup (incoming mails) in the following order:

Internet -> on premises mailserver (=> attachment filter, antivirus, spam filter) -> forward to Microsoft 365 Exchange Online using hosted SMTP Relay (postfix on our web server).

My problem is, that mails, Microsoft recives, are failing the SPF check because the forwarded mail gets the sender ip adress from our SMTP relay.

Is there a possibility to "transparent" forward the mails to Microsoft to keep the original sender adresses to pass SPF? I found something about SRS (sender rewriting scheme)... Is this a right path to keep SPF working in our case?

Thanks!

2
  • 1
    I do not have personal experience but would hope that whoever answers this or merges with duplicates leaves a clear reference to Microsofts instructions on trusted ARC sealers and to what extent those are (not) useful for Microsofts locked-in Exchange offers.
    – anx
    Commented Jun 2, 2023 at 12:40
  • 1
    @anx I hope my answer satisfies your request. As you may have noticed, the on prem / 3rd party filtering service does need to support adding an ARC seal header to the email for this to work. Thank you for the instructions link. I hadn't found it yet.
    – Reinto
    Commented Jun 2, 2023 at 13:14

2 Answers 2

1

There are plenty of options for you to consider.

SRS

SRS would require you to rewrite the Return-Path header to change the domain on which SPF is checked. But this will then impact the bounces that are returned to that address instead of the original Return-Path address. So, I would not recommend this action.

Transport Rule in Exchange Online

If you have created an inbound connector in Exchange Online for your mail flow from on premises, you can add a transport rule for that connector that sets the Spam Confidence Level (SCL) to -1. Basically, this will treat all emails arriving via this connector as safe listed. This is an option if you fully trust your on prem filtering capabilities and do not wish to use any of the capabilities available in Exchange Online Protection. For more information see: https://learn.microsoft.com/en-us/Exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl

Enhanced Filtering

Enhanced Filtering will let you list all intermediary hops in your on prem / hosted mail flow via a specific Inbound Connector, to be discarded by Exchange Online Protection and treat the IP address of the hop before on prem setup as the originating host. This will let SPF checks pass on the emails for the original domain used in the Return-Path header. It also allows you to still take advantage of additional capabilities available in Exchange Online Protection (Microsoft Defender for Office 365). For more information see: https://learn.microsoft.com/en-us/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors

ARC

Authentication Received Chain (ARC) will let you add a sealed Authentication-Result header at the on prem filtering email server which will then be considered by Exchange Online as trusted. You can configure trusted ARC domains in the Defender portal at https://security.microsoft.com/authentication by adding sealing domains. This will require your on prem filtering mail server to support ARC sealing.

More on ARC in Office 365 at https://learn.microsoft.com/en-us/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors

3
  • Thank you very much. I'll start with enhanced filtering. Looks like it's exactly what I need. Commented Jun 2, 2023 at 21:47
  • 1
    I've implemented Enhanced Filtering last week. Seems to work smooth now. All our SMTP hops are skipped and SPF keeps valid. Commented Jun 5, 2023 at 6:32
  • That's great to hear!
    – Reinto
    Commented Jun 5, 2023 at 7:04
0

Surely the simplest option is to simply update your SPF record to include the IP address of your SMTP relay?

The SPF record can have multiple addresses/references listed, since you could easily have email coming from multiple different locations legitmately. So for instance if your relay IP is 1.2.3.4 and your current SPF record is

v=spf1 include:spf.protection.outlook.com -all

then simply update it to be

v=spf1 ip4:1.2.3.4 include:spf.protection.outlook.com -all

2
  • 1
    I believe the OP is describing emails originating from random domains on the Internet and not from his own domains. In that case adding the relay IP to his own SPF record would not matter.
    – Reinto
    Commented Jun 2, 2023 at 13:09
  • This problem is more addressed to external emails from external partners. Even this emails get the sender address from our relay server, when they get delivered after AV scan to our Microsoft 365 mailboxes. Commented Jun 2, 2023 at 13:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .