Correct - BUT that assumption can only be held if youre talking directly to the
tenant server. Since Microsoft has lots of intermediate internal servers and
hops, the internal servers cannot know the difference between a submitted
password authenticated mail, a SPF authenticated one, or a unauthenticated
one.In your example, the sender domain is hosted on the same server. Thats why
SPF doesn't apply. Instead local policy has to apply.Its a complicated mess
with muti-tenant cloud mail servers.
-------- Originalmeddelande --------Från: Jaroslaw Rafa via mailop
<mailop@mailop.org> Datum: 2025-09-26 10:06 (GMT+01:00) Till:
mailop@mailop.org Ämne: Re: [mailop] DirectSend - has Microsoft re-invented SPF
in an IPv6 incompatible way? Dnia 26.09.2025 o godz. 09:44:20 Sebastian Nielsen
via mailop pisze:> >> The scenario was when us...@op.pl was sending their mail
to> >> us...@example.com (external to op.pl, totally different service), and>
>> us...@example.com in turn forwarded the mail to us...@op.pl, the op.pl> >>
server rejected the mail with a message requring authentication - because it>
>> Saw a sender address from op.pl domain. I think I see similar> >>
misconfiguration here.> > Exactly what im saying. The third server has no way
of validating "its own> hosted domain" to "itself" to what to say.> > As I made
the example with "sebbe.eu" validating "127.0.0.1" against SPF.> Thats why
DirectSend exist. To facilitate this type of validation.The mail in my example
was *not* coming from 127.0.0.1. It was coming froman external server (I was
actually admin of that server at the time ;)).At the time when SPF did not
exist, there was no separate submission serviceand submission was done via port
25, it was indeed hard to distinguish(although not impossible) if an incoming
mail with a sender from "my owndomain" is submission or a forwarded message
coming from external server.But nowadays, when submission is separated from
incoming mail and SPFexists, it's absolutely no problem to determine if
incoming message with "myown domain" is submission, or a message coming from
ouside with properlyvalidated SPF.It's only lack of Microsoft's will to do so.
-- Regards, Jaroslaw Rafa r...@rafa.eu.org--"In a million years, when kids
go to school, they're gonna know: once therewas a Hushpuppy, and she lived with
her daddy in the Bathtub."_______________________________________________mailop
mailing listmailop@mailop.orghttps://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
