Join Log in
Score:0
Robin Reuter avatar Server

SMTP Relay - Keep sender SPF valid

in flag
Robin Reuter

We use a email setup (incoming mails) in the following order:

Internet -> on premises mailserver (=> attachment filter, antivirus, spam filter) -> forward to Microsoft 365 Exchange Online using hosted SMTP Relay (postfix on our web server).

My problem is, that mails, Microsoft recives, are failing the SPF check because the forwarded mail gets the sender ip adress from our SMTP relay.

Is there a possibility to "transparent" forward the mails to Microsoft to keep the original sender adresses to pass SPF? I found something about SRS (sender rewriting scheme)... Is this a right path to keep SPF working in our case?

Thanks!

263
2 + 2
spf
anx avatar
fr flag
anx
I do not have personal experience but would hope that whoever answers this or merges with duplicates leaves a clear reference to [Microsofts instructions on trusted ARC sealers](https://learn.microsoft.com/en-dk/microsoft-365/security/office-365-security/use-arc-exceptions-to-mark-trusted-arc-senders?view=o365-worldwide#trusted-arc-sealer-mailflow-graphics) and to what extent those are (not) useful for Microsofts locked-in Exchange offers.
1
Reply
Reinto avatar
es flag
Reinto
@anx I hope my answer satisfies your request. As you may have noticed, the on prem / 3rd party filtering service does need to support adding an ARC seal header to the email for this to work. Thank you for the instructions link. I hadn't found it yet.
1
Reply
Score:1
Reinto avatar Server
es flag
Reinto

There are plenty of options for you to consider.

SRS

SRS would require you to rewrite the Return-Path header to change the domain on which SPF is checked. But this will then impact the bounces that are returned to that address instead of the original Return-Path address. So, I would not recommend this action.

Transport Rule in Exchange Online

If you have created an inbound connector in Exchange Online for your mail flow from on premises, you can add a transport rule for that connector that sets the Spam Confidence Level (SCL) to -1. Basically, this will treat all emails arriving via this connector as safe listed. This is an option if you fully trust your on prem filtering capabilities and do not wish to use any of the capabilities available in Exchange Online Protection. For more information see: https://learn.microsoft.com/en-us/Exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl

Enhanced Filtering

Enhanced Filtering will let you list all intermediary hops in your on prem / hosted mail flow via a specific Inbound Connector, to be discarded by Exchange Online Protection and treat the IP address of the hop before on prem setup as the originating host. This will let SPF checks pass on the emails for the original domain used in the Return-Path header. It also allows you to still take advantage of additional capabilities available in Exchange Online Protection (Microsoft Defender for Office 365). For more information see: https://learn.microsoft.com/en-us/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors

ARC

Authentication Received Chain (ARC) will let you add a sealed Authentication-Result header at the on prem filtering email server which will then be considered by Exchange Online as trusted. You can configure trusted ARC domains in the Defender portal at https://security.microsoft.com/authentication by adding sealing domains. This will require your on prem filtering mail server to support ARC sealing.

More on ARC in Office 365 at https://learn.microsoft.com/en-us/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors

+ 3
Robin Reuter avatar
in flag
Robin Reuter
Thank you very much. I'll start with enhanced filtering. Looks like it's exactly what I need.
0
Reply
Robin Reuter avatar
in flag
Robin Reuter
I've implemented Enhanced Filtering last week. Seems to work smooth now. All our SMTP hops are skipped and SPF keeps valid.
1
Reply
Reinto avatar
es flag
Reinto
That's great to hear!
0
Reply
Score:0
Keith Langmead avatar Server
us flag
Keith Langmead

Surely the simplest option is to simply update your SPF record to include the IP address of your SMTP relay?

The SPF record can have multiple addresses/references listed, since you could easily have email coming from multiple different locations legitmately. So for instance if your relay IP is 1.2.3.4 and your current SPF record is

v=spf1 include:spf.protection.outlook.com -all

then simply update it to be

v=spf1 ip4:1.2.3.4 include:spf.protection.outlook.com -all

+ 2
Reinto avatar
es flag
Reinto
I believe the OP is describing emails originating from random domains on the Internet and not from his own domains. In that case adding the relay IP to his own SPF record would not matter.
1
Reply
Robin Reuter avatar
in flag
Robin Reuter
This problem is more addressed to external emails from external partners. Even this emails get the sender address from our relay server, when they get delivered after AV scan to our Microsoft 365 mailboxes.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.