When I've seen this, there is usually a big spf bounce explanation, but the actual cause is a reject that O365 is giving a very verbose SPF error message for but may not involve spf at all.
Ie, I've seen it with messages forwarded through O365 to Gmail, which rejects it for failing dmarc. The forwarding breaks spf and dkim. The eventual solution is ARC, but of course we're not there yet. If it is a dmarc issue, then adding them to the SPF might help for you, but is unlikely to help for other folks they are having trouble with. In the past, I know folks who have used a different mx server or service in front of Exchange to do forwarding without breaking auth, but I don't know the current best solutions here, but they're usually on the receiver side. I think O365 has fixed some forwarding paths to leave dkim intact. It may also be possible that some other reject is causing this and also being interpreted as an SPF failure, usually the real smtp response is in there somewhere. Brandon On Thu, Nov 8, 2018, 5:28 AM Steve Dodd <steved...@gmail.com wrote: > Can't help with this directly, but I've seen similar happen with mail to > Facebook, which uses O365.. > > S. > > On Thu, 8 Nov 2018 at 12:25, Duncan Brannen <d...@st-andrews.ac.uk> wrote: > >> >> >> Morning all, >> >> Does anyone have any issues delivering to some O365 >> domains due to Microsoft internally SPF failing inbound email against their >> own servers? >> >> >> >> We’re seeing the email go through our MXs and be delivered to >> x.protection.outlook.com, >> >> >> >> protection.outlook.com then SPF checks and passes the message, verifies >> the DKIM signature and passes that. >> >> then… >> >> it gets routed internally from protection.outlook.com to >> outlook.office365.com, back to protection.outlook.com >> >> and then goes through a second set of SPF and DKIM checks which fail SPF >> because protection.outlook.com is not a permitted server for >> st-andrews.ac.uk >> >> >> >> It ‘seems’ to happen for recipients in UK datacentres where their MX >> records still point at the EU datacentres and I ‘think’ having >> >> an O365 tenancy but routing all of our outbound email through our onsite >> MX servers is a contributing factor due to the tenant >> >> name appearing in the headers. [we’re hybrid on premise, Gmail and O365] >> >> >> >> Our support call is going round in circles, we’ve been told the remote >> site has blacklisted us, that we need to add the MS servers into our SPF, >> >> that we need to add our hybrid servers into our SPF, that our DKIM >> signature is invalid, that our SPF is invalid, that the remote site have >> errors >> >> in their EOP configuration and that Barracuda have blacklisted us. >> >> >> >> I can see that adding protection.outlook.com to our SPF record will fix >> this though protection.outlook.com shouldn’t be sending email for us and >> >> shouldn’t be in our SPF but it may be that the price of having an O365 >> tenancy is we have to whether we send email that way or not. If anyone >> >> knows either way and can explain why or knows how we should phrase a >> request for escalation to a team that understands hybrid setups where >> >> email is routed through non MS servers I’d appreciate sharing of the >> knowledge. J >> >> >> >> Example headers below. >> >> >> >> Cheers, >> >> Duncan >> >> >> >> Received: from LNXP265MB0905.GBRP265.PROD.OUTLOOK.COM >> (2603:10a6:600:5e::31) >> >> by LO2P265MB1728.GBRP265.PROD.OUTLOOK.COM with HTTPS via >> >> LNXP265CA0019.GBRP265.PROD.OUTLOOK.COM; Fri, 26 Oct 2018 08:00:56 +0000 >> >> Received: from CWLP265CA0256.GBRP265.PROD.OUTLOOK.COM >> (2603:10a6:401:25::28) >> >> by LNXP265MB0905.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:78::11) with >> >> Microsoft SMTP Server (version=TLS1_2, >> >> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1273.24; Fri, 26 >> Oct >> >> 2018 08:00:56 +0000 >> >> Received: from VE1EUR01FT055.eop-EUR01.prod.protection.outlook.com >> >> (2a01:111:f400:7e01::206) by CWLP265CA0256.outlook.office365.com >> >> (2603:10a6:401:25::28) with Microsoft SMTP Server (version=TLS1_2, >> >> cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1273.19 via >> Frontend >> >> Transport; Fri, 26 Oct 2018 08:00:55 +0000 >> >> Authentication-Results: spf=fail (sender IP is 104.47.0.127) >> >> smtp.mailfrom=st-andrews.ac.uk; uhi.ac.uk; dkim=pass (signature was >> verified) >> >> header.d=UniversityofStAndrews907.onmicrosoft.com;uhi.ac.uk; >> >> dmarc=bestguesspass action=none header.from=st-andrews.ac.uk; >> >> Received-SPF: Fail (protection.outlook.com: domain of st-andrews.ac.uk >> does >> >> not designate 104.47.0.127 as permitted sender) >> >> receiver=protection.outlook.com; client-ip=104.47.0.127; >> >> helo=EUR01-HE1-obe.outbound.protection.outlook.com; >> >> Received: from EUR01-HE1-obe.outbound.protection.outlook.com >> (104.47.0.127) by >> >> VE1EUR01FT055.mail.protection.outlook.com (10.152.3.104) with Microsoft >> SMTP >> >> Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id >> >> 15.20.1294.14 via Frontend Transport; Fri, 26 Oct 2018 08:00:55 +0000 >> >> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; >> >> d=UniversityofStAndrews907.onmicrosoft.com; >> s=selector1-standrews-ac-uk0e; >> >> >> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; >> >> bh=jmNDk9A9PZk09YI7EoXcC6bpFtKR82SKTANn3/DMLug=; >> >> >> b=ED9NpX9QKXys3LSbATyd1YMgMQbsPuEcRC92nBMGdPTsmDPO7fHqm7hzMOCCkKw4+1+hnch9Jw2kVAxit6o/NKsdo66TJ+EM0BDCmmkAefoo/2KSvwKz5cuTTp5lBId6DKAUjUSjoCOqOhIv5yf46DzflVSY0yr4fy3dIbEe3GI= >> >> Received: from VI1PR06CA0143.eurprd06.prod.outlook.com >> (2603:10a6:803:a0::36) >> >> by DB6PR0601MB2389.eurprd06.prod.outlook.com (2603:10a6:4:1f::20) with >> >> Microsoft SMTP Server (version=TLS1_2, >> >> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1273.19; Fri, 26 >> Oct >> >> 2018 08:00:53 +0000 >> >> Received: from VE1EUR01FT064.eop-EUR01.prod.protection.outlook.com >> >> (2a01:111:f400:7e01::205) by VI1PR06CA0143.outlook.office365.com >> >> (2603:10a6:803:a0::36) with Microsoft SMTP Server (version=TLS1_2, >> >> cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1273.21 via >> Frontend >> >> Transport; Fri, 26 Oct 2018 08:00:53 +0000 >> >> Authentication-Results-Original: spf=pass (sender IP is 138.251.6.249) >> >> smtp.mailfrom=st-andrews.ac.uk; uhi.ac.uk; dkim=pass (signature was >> verified) >> >> header.d=st-andrews.ac.uk;uhi.ac.uk; dmarc=bestguesspass action=none >> >> header.from=st-andrews.ac.uk; >> >> Received-SPF: Pass (protection.outlook.com: domain of st-andrews.ac.uk >> >> designates 138.251.6.249 as permitted sender) >> >> receiver=protection.outlook.com; client-ip=138.251.6.249; >> >> helo=mailhost.st-andrews.ac.uk; >> >> Received: from mailhost.st-andrews.ac.uk (138.251.6.249) by >> >> VE1EUR01FT064.mail.protection.outlook.com (10.152.3.34) with Microsoft >> SMTP >> >> Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id >> >> 15.20.1273.13 via Frontend Transport; Fri, 26 Oct 2018 08:00:52 +0000 >> >> Received: from mailhost02.st-andrews.ac.uk (mailhost.st-andrews.ac.uk >> [192.168.0.2]) >> >> by mailhost.st-andrews.ac.uk (8.15.2/8.15.2/Debian-8) >> with ESMTPS id w9Q80pTc120481 >> >> (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 >> bits=256 verify=NOT); >> >> Fri, 26 Oct 2018 09:00:52 +0100 >> >> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=st-andrews.ac.uk; >> >> s=mailhost; t=1540540852; >> >> bh=gRTuJZzb7JI456njDWSRhuU9IlxP+i6HdwYnqMKdJJU=; >> >> h=From:To:Subject:Date:From; >> >> >> b=gaAFsl9e7JmElplb6otYlJgysWIZCbUlAl9bfTD2uRtkU8FPNDNDNEYv67RzacZCQ >> >> >> 5dwU2tZoAqcYPeq18kxxreiWAOaUdPkI9bzyKxJVVRahXx1cy01bKOhz7thUVWKQaA >> >> >> KQVJHV3FiLGyCS7zYlE08wCygEhvavY5gXAqINaDxPdqNT0JfNsaLzsYfuL4eIGtFm >> >> >> Xel+vrLfTEzoacFoYrf+yan/R5pMp5z/wQx6nVhW1Ihz5ibtPHghj4REjIlyrCbWm4 >> >> >> LtztByClgpj5MB7PteT3VsLO0mgJ6Q02Q4UsLLZa6HEGslfxJ2OoyAOXj1stNvcz2W >> >> 3mnsL8C9RSiOw== >> >> X-Spam-Status: No >> >> X-StAndrews-MailScanner-From: d...@st-andrews.ac.uk >> >> X-StAndrews-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, >> >> score=0.111, required 5, DKIM_SIGNED 0.10, HTML_MESSAGE >> 0.00, >> >> T_DKIM_INVALID 0.01) >> >> X-StAndrews-MailScanner: No virus detected >> >> X-StAndrews-MailScanner-ID: w9Q80mnL120467 >> >> X-StAndrews-MailScanner-Information: Please contact the ISP for more >> information >> >> Received: from unimail.st-andrews.ac.uk (exch13-srv03.st-andrews.ac.uk >> [138.251.9.20]) >> >> by mailhost02.st-andrews.ac.uk (8.15.2/8.15.2/Debian-8) >> with ESMTPS id w9Q80mnL120467 >> >> (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 >> verify=NOT); >> >> Fri, 26 Oct 2018 09:00:49 +0100 >> >> Received: from exch13-srv03.st-andrews.ac.uk (138.251.9.20) by >> >> exch13-srv03.st-andrews.ac.uk (138.251.9.20) with Microsoft SMTP Server >> (TLS) >> >> id 15.0.1210.3; Fri, 26 Oct 2018 09:00:48 +0100 >> >> Received: from EUR03-VE1-obe.outbound.protection.outlook.com >> (213.199.154.148) >> >> by exch13-srv03.st-andrews.ac.uk (138.251.9.20) with Microsoft SMTP >> Server >> >> (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 26 Oct 2018 09:00:48 >> +0100 >> >> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; >> >> d=UniversityofStAndrews907.onmicrosoft.com; >> s=selector1-standrews-ac-uk0e; >> >> >> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; >> >> bh=sfdcZ9ETxSvzJVU/5gt/HSeE7sIMoJ61hF3L/g+1OlQ=; >> >> >> b=dy0PNnh1+cASR+z9cij+VQ1mawDIS5MYQVvFvRNxP1rHUjs2Gg0m6bswj0/HHOiINg6r/4XnPPwcK22bRaMF0QMuTYtnu/a13qfN1qId1TZXpeYhHyQ4BDgcCXcT7vx6JQuN6v74OvXE5geWreHWiv4uyDAiYR4m+pu50KOy+EY= >> >> Received: from HE1PR0602MB3596.eurprd06.prod.outlook.com (52.133.5.31) by >> >> HE1PR0602MB2763.eurprd06.prod.outlook.com (10.175.31.11) with Microsoft >> SMTP >> >> Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id >> >> 15.20.1273.18; Fri, 26 Oct 2018 08:00:46 +0000 >> >> Received: from HE1PR0602MB3596.eurprd06.prod.outlook.com >> >> ([fe80::9cbd:88d4:5772:eac2]) by >> HE1PR0602MB3596.eurprd06.prod.outlook.com >> >> ([fe80::9cbd:88d4:5772:eac2%2]) with mapi id 15.20.1250.028; Fri, 26 Oct >> 2018 >> >> 08:00:46 +0000 >> >> >> >> >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >> > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop