On Friday, February 4, 2022 3:14:29 PM EST Wietse Venema wrote: > Alex: > > Hi, > > I have a multi-instance postfix config and am trying to figure out why > > Microsoft 365 is marking my email from the outbound instance as SPF > > softfail. > > > > I am trying to send mail from my gmail account to the multi-instance > > postfix system through to my Microsoft 365 account, where I've set up > > mail filters to accept mail from all postfix instances without > > blocking or filtering. All IPs involved are listed in the SPF record > > for the domain: > > > > example.org. 978 IN TXT "v=spf1 > > ip4:209.222.90.0/24 include:spf.protection.outlook.com -all" > > > > There are two MX records set for this domain - relay1.example.com > > (209.222.90.118) and relay2.example.com (209.222.90.113). I believe > > the problem is that mail is leaving through the postfix-out instance > > (209.222.90.109), and although all IPs are listed in the SPF record, > > it appears Microsoft doesn't like that it's not being sent from the > > same IP as it was received? > > Random guess: what name does the MTA send in the EHLO command, and > does that name match the IP address? The EHLO is not visible in the > email headers that you included.
Failed HELO check for SPF is indeed a possibility. Another one is that their check is buggy. I have seen cases of them checking SPF when receiving mail via an internal relay. I don't know how common that is. If it's on their end, there's not much you can do about it. Scott K
