Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF Issue

Hi,

 

I am fairly new to Sophos Central and have the Base Policy setup for Email Gateway with SPF set to Quarantine.

It appears a number of spam emails are getting through that are Phising attempts - when looking at the raw header of the delivered email in the Central dashboard, it is showing the below:

Authentication-Results: mx-01-us-east-2.prod.hydra.sophos.com; spf=pass smtp.mailfrom=redacted; dkim=none
Received-SPF: pass receiver=mx-01-us-east-2.prod.hydra.sophos.com; client-ip=redacted; envelope-from=redacted; helo=au-smtp-delivery-101.mimecast.com;
X-Sophos-Email-ID: 686b2101a8a5494fb97ef0c6dc32c7d7
Received: from au-smtp-delivery-101.mimecast.com (au-smtp-delivery-101.mimecast.com [redacted]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mx-01-us-east-2.prod.hydra.sophos.com (Postfix) with ESMTPS id 459D991ptNz1xnf for <redacted>; Fri, 24 May 2019 04:36:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redacted; s=mimecast20180501; t=1558672601; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:openpgp:autocrypt; 

However, once the offending email is received in Outlook the below headers have been added:

Received: from ME2PR01MB2644.ausprd01.prod.outlook.com (2603:10c6:220:60::28)
by MEAPR01MB2646.ausprd01.prod.outlook.com with HTTPS via
MEAPR01CA0112.AUSPRD01.PROD.OUTLOOK.COM; Fri, 24 May 2019 04:36:53 +0000
Received: from ME2PR01CA0219.ausprd01.prod.outlook.com (2603:10c6:220:19::15)
by ME2PR01MB2644.ausprd01.prod.outlook.com (2603:10c6:201:1d::23) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.15; Fri, 24 May
2019 04:36:52 +0000
Received: from ME1AUS01FT003.eop-AUS01.prod.protection.outlook.com
(2a01:111:f400:7eb4::206) by ME2PR01CA0219.outlook.office365.com
(2603:10c6:220:19::15) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.15 via Frontend
Transport; Fri, 24 May 2019 04:36:52 +0000
Authentication-Results: spf=permerror (sender IP is redacted)
smtp.mailfrom=redacted; redacted; dkim=fail (signature did not
verify) header.d=redacted;redacted; dmarc=none
action=none header.from=redacted;compauth=none reason=405
Received-SPF: PermError (protection.outlook.com: domain of redacted used
an invalid SPF mechanism)

Why is Office 365 able to determine the SPF/DKIM issues but not the Email Gateway?

Thanks



Added tags
[edited by: Raphael Alganes at 9:22 AM (GMT -7) on 12 May 2023]