This has nothing to do with SPF. This article (https://www.mimecast.com/threat-intelligence-hub/microsoft-direct-send-abuse/) may help explain why Direct Send is a problem for O365 to O365 sends. Specifically:
Specifically: direct send is unauthenticated email that looks exactly like authenticated email when sending from O365 to O365 users. He’s not actively sending the mail over your infrastructure if the messages are blocked using Direct Send. laura > On 25 Sep 2025, at 08:02, Benoit Panizzon via mailop <mailop@mailop.org> > wrote: > > Hi Team > > We have a customer who uses our email infrastructure to send email > invoices to his customers. > > The customer has his email domain on Outlook 365 and has included our > IP range in his SPF entry to allow invoices from an envelope sender in > his domain to be sent over our email platform - this has worked so far. > > Last time he sent invoices the emails were rejected by various other > Outlook 365 customers because 'DirectSend' is set to forbidden for the > sending domain. > > The customer confirmed, according to their security requirements as a > government related company, they were instructed to disable 'DirectSend' > on their Outlook 365 service for their domain, to prevent third parties > to fake their envelope sender. > > Aehm, this is what SPF is already doing - in a correct way - why does > this DirectSend setting override SPF which would allow the envelope > sender from our ip range? > > Customer opened a case with Microsoft and the reply he got was to > whitelist our IPv4 Range in the DirectSend settings for his Outlook 365 > hosted email domain - but we and Microsoft use IPv6 so this has no > effect - IPv6 addresses can not be whitelisted. > > Next recommendation from Microsoft: Tell the sending Provider to > disable IPv6 on their email Platform we do not support IPv6 for > DirectSend Whitelisting. > > Our Reply: No! Please remove the IPv6 Addresses on the receiving MXes > with DirectSend disabled if IPv6 is not supported by Microsoft. > > Reply from Microsoft: IPv6 is required for Outlook 365 to work > correctly and can not be disabled on the receiving MXes. > > So am I getting this correctly? Microsoft does not rely on SPF anymore > but has invented an alternative called DirectSend which is not IPv6 > compatible? > > Mit freundlichen Grüssen > > -Benoît Panizzon- > -- > I m p r o W a r e A G - Leiter Commerce Kunden > ______________________________________________________ > > Zurlindenstrasse 29 Tel +41 61 826 93 00 > CH-4133 Pratteln Fax +41 61 826 93 01 > Schweiz Web http://www.imp.ch > ______________________________________________________ > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- The Delivery Expert Laura Atkins Word to the Wise la...@wordtothewise.com Delivery hints and commentary: http://www.wordtothewise.com/blog
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
