0

When sending mails through our Exchange 365 service those mails get through successfully, but if we look at the mail headers we see that where the sender and recipient are in our tenant the mail's actually failed SPF; whilst if we sent mails to a third party (e.g. to a gmail address) the SPF is correct.

Specifically we see that the mail sent internally shows as having an IP in the ip6:2603:1000::/24 range (e.g. 2603:10a6:400:49::16... and that IP is not listed on spf.protection.outlook.com.

Screenshot of the spf.protection.outlook.com public TXT record

Similarly, when checking the headers of mails sent to third parties we see a DKIM selector is included in the mail's header. For those sent to other mailboxes within our tenant, no such header exists.

Others have been reporting the same for several years. Like those others I've spoken to MS support, but this scenario is off-script for them, so that got me nowhere.

My guess is that MS don't care about SPF/DKIM when messages are within tenant, as they know those mails are valid, so they don't filter them. However, I can't find any documenation to confirm this, and this seems wrong (e.g. if your mail client has its own logic to validate these, how would it know to trust them). This is a frustrating issue as when investigating real email issues it's harder to say whether mails failing these checks indicates a real issue, or, as valid mails also fail these checks, we're looking in the wrong place.

1 Answer 1

4

Usually, these Authentication checks are performed at the Edge of the Organization's network, thus it would make sense for these headers to be absent in internal email flow.

Other headers do offer clues about the email being an Internal email. For example, the X-MS-Exchange-Organization-AuthAs: Internal header tells you that the email originates from your tenant, or your on-premises Exchange Server through the use of a matching Exchange Online Inbound Connector of type OnPremises in case of a hybrid environment (if set up correctly). X-MS-Exchange-Organization-MessageDirectionality: Originating is another one.

This is actually a very comprehensive post on mail flow within an Exchange Hybrid environment, but is applicable to your question.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .