When sending mails through our Exchange 365 service those mails get through successfully, but if we look at the mail headers we see that where the sender and recipient are in our tenant the mail's actually failed SPF; whilst if we sent mails to a third party (e.g. to a gmail address) the SPF is correct.
Specifically we see that the mail sent internally shows as having an IP in the ip6:2603:1000::/24 range (e.g. 2603:10a6:400:49::16... and that IP is not listed on spf.protection.outlook.com.
Similarly, when checking the headers of mails sent to third parties we see a DKIM selector is included in the mail's header. For those sent to other mailboxes within our tenant, no such header exists.
Others have been reporting the same for several years. Like those others I've spoken to MS support, but this scenario is off-script for them, so that got me nowhere.
My guess is that MS don't care about SPF/DKIM when messages are within tenant, as they know those mails are valid, so they don't filter them. However, I can't find any documenation to confirm this, and this seems wrong (e.g. if your mail client has its own logic to validate these, how would it know to trust them). This is a frustrating issue as when investigating real email issues it's harder to say whether mails failing these checks indicates a real issue, or, as valid mails also fail these checks, we're looking in the wrong place.
