4

I am an outsourced IT provider and traditionally I have setup administrator@customerdomain.com to forward to support@mydomain.com

We've recently migrated some customers to Office 365 and when we setup administrator@customerdomain.com as a distribution list and our mailing account as a recipient messages sent are getting rejected as they aren't passing SPF.

It appears exchange online is not enveloping the messages so anybody who has a -all or ~all in their SPF record is unable to sent emails to us.

how is it possible to configure office 365 to forward emails in such a way that they will pass SPF?

An example of the problem is this:

licence@vendor.com sends an email to administrator@customerdomain.com which forwards to support@mydomain.com as licence@vendor.com. vendor.com's spf record does not allow emails from spf.protection.outlook.com thus gets rejected by our spf check.

what I want is exchange online to envelope the message so that it appears to come from exchange online and thus pass spf check.

Matthew Smith
  • 91
  • 1
  • 11

1 Answers1

5

I don't think that Exchange is actually forwarding the emails. If that were the case then the email would be listed as coming from an @customerdomain address. The emails are just redistributed to another mail system. This being the case, and by design, SPF is broken because Office365 is not allowed to send mail on behalf of vendor.com.

One way to achieve this would be to set up administrator@customerdomain.com as a shared mailbox and configure auto-forwarding on the mailbox settings. This way the emails are being sent by an @customerdomain.com address and SPF won't fail.

I considered how you might set up some kind of exclusion in your mail system, but you would have to know the details of all senders to be able to configure any kind of bypass; even then you would be opening yourself up to security risks, which happens any time you decide to 'trust' a sender.

That said, I just did my own bit of research and it seems Microsoft are in the process of rolling out Sender Rewriting Scheme (SRS), which fixes this very problem:

To combat email abuse, new authentication mechanisms, such as SPF, DKIM, and DMARC, are being used to combat the spoofing of domains by spammers. These mechanisms, however, are not compatible with the way emails have been forwarded from Office 365 to forward addresses set up for hosted mailboxes. More and more, recipient email servers are rejecting forwarded emails coming from Office 365 as the sender address is not for a domain Office 365 is allowed to send as. To fix this issue, a sender rewriting scheme is being rolled out in Office 365 that will change the sender email address to use the domain of the tenant whose mailbox is forwarding the message. This will avoid the rejections taking place by some email servers with strict settings for their SPF checks. Specifically, the Mail From field that email servers use to determine the sender email address will be rewritten. The separate From header which contains the sender address that is shown to recipients in their email client will not be changed. If any forwarded emails fail to be delivered to the forwarded address, the non-delivery responses will be sent to the original sender of the email which has always been the case.

Estimated Release: Q2 CY2018

Feature ID: 24056

Added to Roadmap: 10/25/2017

Last modified : 07/25/2018

Maybe your problem will be resolved imminently...

https://products.office.com/en-us/business/office-365-roadmap

Community
  • 1
john
  • 1,995
  • 2
  • 17
  • 30