Advisory: Sophos Endpoint - "Your connection isn't private." We're aware of a certificate issue and are actively working to resolve it. Please see: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

M365, Email Security Mailflow, Outbound SPF failure

Hi, we're fairly new with M365 and Sophos Email Security set up with Mailflow and working fine.

Today I had a customer reach out saying that our emails are failing SPF.  Examining the headers, this failure is happening when our outgoing email is passed back to us from Sophos for scanning, then sent out to an external domain.  Our domain passes SPF, but earlier down the chain it's failing.

Header 4 and 5 show the SPF=pass info -- "mydomain.ca" is my obfuscated domain name.

4 Authentication-Results spf=pass (sender IP is 40.107.115.49) smtp.mailfrom=mydomain.ca; dkim=pass (signature was verified) header.d=mydomain.ca;dmarc=pass action=none header.from=mydomain.ca;compauth=pass reason=100
5 Received-SPF Pass (protection.outlook.com: domain of mydomain.ca designates 40.107.115.49 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.115.49; helo=CAN01-YT3-obe.outbound.protection.outlook.com; pr=C

Header 8 and 9 below show the fail which I'm guessing this client is seeing and their (barracuda) appliance is flagging it.

8 X-MS-Exchange-Authentication-Results spf=fail (sender IP is 85.113.88.238) smtp.mailfrom=mydomain.ca; dkim=pass (signature was verified) header.d=mydomain.ca;dmarc=pass action=none header.from=mydomain.ca;
9 Received-SPF Fail (protection.outlook.com: domain of mydomain.ca does not designate 85.113.88.238 as permitted sender) receiver=protection.outlook.com; client-ip=85.113.88.238; helo=mfod-cac1.eml100yul.ctr.sophos.com;

To visualize this, the flow is something like this;
message sent by us to external domain
Rule to redirect to Sophos
Connector: Outbound emails to Sophos Email
Connector: Outbound emails from Sophos
email sent

So my question is, should I be adding the sophos email record (_spf.eml100yul.ctr.sophos.com) to our SPF to mitigate this problem?  To me, it shouldn't matter as my domain, which is the final sending domain is passing the SPF check - the failure is happening between Sophos and my O365 tenant, not directly from my domain.  I'm not really seeing anything in the docs to state this other than if you're using the mail gateway.  Does it apply to mailflow too?



This thread was automatically locked due to age.
Parents Reply
  • Hi, thanks for your reply.  I did come across those articles, however they're not quite the same as what I'm experiencing.  The SPF failures are not within my own system when receiving email, they are happening on sending emails on my customers' systems due to an SPF fail between my M365 domain and Sophos (Mailfow scanning) before it leaves my domain for the recipient.  That fail doesn't impede the flow of email for me and is the default setup for Mailflow.
    IE: email sent - M365 sends to Sophos for scanning - Sophos sends back to M365 if clean - M365 sends email to external recipient.  On the receiving side, some appliances are seeing that my email was sent FROM a Sophos mail server and fails SPF.  My SPF and MX records list Microsoft.

    In my own SPF record, I added the Outbound Sophos IP block that matches my region (Canada), and that has stopped the SPF failures between M365 and Sophos for mail scanning (item 8 & 9 above).  This shouldn't be needed for this kind of set up, in my opinion.

Children
  • Hello Andrew, 

    Good day and many thanks for sharing an update to this and sharing your added steps, good to know it worked on your end.

    Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • No. That's not a response. He didn't fix the problem, he implemented a workaround.

    Why are emails coming from Sophos and not from his O365 tenant? That's actually a massive security hole. It means any Sophos customer is authorised to send mail from his domain.

  •   Am not sure why M365 is checking SPF records when it comes to emails that are considered still within the system (albeit M365->Sophos->M365) but usually SPF should be checking inbound emails. So normally SPF is meant to prevent spoofed inbound emails from getting to the internal users. From how the OP described the scenario, it looks like the M365 that was supposed to relay the email out to the internet should have been the one adjusted. IF the M365 is not checking outbound emails but only inbound emails for SPF record, then this would also have the same effect as the workaround that was put in place.

  • I think you've misunderstood his problem. It's nothing to do with internal emails. The problem is that mail routed to Sophos is being stamped with the IP address of the Sophos processing servers. 85.113.88.238 is a Sophos server and the email is saying that it's being sent from that server instead of the O365 server.

  • Sophos escalation team tells me that this is expected behaviour and has no interruption of mail delivery -- except for those customers whose email appliance (Barracuda is one) is scanning the whole email header looking for SPF failures and quarantining our sent email due to this.  You would think that M365 and Sophos would have some kind of integration or trust to avoid having these transactions look like external deliveries between them.
    I haven't had this issue since adding the outgoing sophos IP block to my SPF record, so I'm leaving it like that for now.

  • Thanks Andrew

    If it's expected behaviour, then their documentation is wrong. The mailflow documentation has absolutely no mention anywhere about updating SPF records to include Sophos. That is only included in the Gateway documentation.