Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

M365, Email Security Mailflow, Outbound SPF failure

Hi, we're fairly new with M365 and Sophos Email Security set up with Mailflow and working fine.

Today I had a customer reach out saying that our emails are failing SPF.  Examining the headers, this failure is happening when our outgoing email is passed back to us from Sophos for scanning, then sent out to an external domain.  Our domain passes SPF, but earlier down the chain it's failing.

Header 4 and 5 show the SPF=pass info -- "" is my obfuscated domain name.

4 Authentication-Results spf=pass (sender IP is; dkim=pass (signature was verified);dmarc=pass action=none;compauth=pass reason=100
5 Received-SPF Pass ( domain of designates as permitted sender); client-ip=;; pr=C

Header 8 and 9 below show the fail which I'm guessing this client is seeing and their (barracuda) appliance is flagging it.

8 X-MS-Exchange-Authentication-Results spf=fail (sender IP is; dkim=pass (signature was verified);dmarc=pass action=none;
9 Received-SPF Fail ( domain of does not designate as permitted sender); client-ip=;;

To visualize this, the flow is something like this;
message sent by us to external domain
Rule to redirect to Sophos
Connector: Outbound emails to Sophos Email
Connector: Outbound emails from Sophos
email sent

So my question is, should I be adding the sophos email record ( to our SPF to mitigate this problem?  To me, it shouldn't matter as my domain, which is the final sending domain is passing the SPF check - the failure is happening between Sophos and my O365 tenant, not directly from my domain.  I'm not really seeing anything in the docs to state this other than if you're using the mail gateway.  Does it apply to mailflow too?

This thread was automatically locked due to age.
  •  I think we're seeing the same thing. Tenant A and Tenant B both have Sophos MailFlow set up. The normal email case, eg for Tenant A to Tenant C who is external to Sophos is:

    • Tenant A Outlook -> Tenant A Exchange (kind of)
    • Tenant A Exchange -> Tenant A Sophos
    • Tenant A Sophos -> Tenant A Exchange
    • Tenant A Exchange -> Tenant C MX

    But when Tenant A sends an email to Tenant B it seems to go like:

    • Tenant A Outlook -> Tenant A Exchange (kind of)
    • Tenant A Exchange -> Tenant A Sophos
    • Tenant A Sophos -> Tenant B Exchange
    • Tenant B Exchange -> Tenant B Sophos
    • Email is rejected by SPF because the email came from Tenant A Sophos instead of Tenant A Exchange

    The above is how it appears to be behaving based on the logs I have visibility to (Exchange is a maze of twisty passages, all alike), but who knows what's actually happening. It does seem like because the destination domain is for Tenant B, and because Tenant B is configured for Mail Flow, Exchange just routes the email there instead of first back to Tenant A Exchange.

    As the OP found, adding the Tenant A Sophos IP/hostnames to SPF might work around this, but as they aren't formally published, this could break at any time. Also we use Exchange rules to apply signatures and this flow error could break that too (I haven't checked yet - more interested in getting email to its destination first!)

Reply Children
No Data