Hi, we're fairly new with M365 and Sophos Email Security set up with Mailflow and working fine.
Today I had a customer reach out saying that our emails are failing SPF. Examining the headers, this failure is happening when our outgoing email is passed back to us from Sophos for scanning, then sent out to an external domain. Our domain passes SPF, but earlier down the chain it's failing.
Header 4 and 5 show the SPF=pass info -- "mydomain.ca" is my obfuscated domain name.
|4||Authentication-Results||spf=pass (sender IP is 126.96.36.199) smtp.mailfrom=mydomain.ca; dkim=pass (signature was verified) header.d=mydomain.ca;dmarc=pass action=none header.from=mydomain.ca;compauth=pass reason=100|
|5||Received-SPF||Pass (protection.outlook.com: domain of mydomain.ca designates 188.8.131.52 as permitted sender) receiver=protection.outlook.com; client-ip=184.108.40.206; helo=CAN01-YT3-obe.outbound.protection.outlook.com; pr=C|
Header 8 and 9 below show the fail which I'm guessing this client is seeing and their (barracuda) appliance is flagging it.
|8||X-MS-Exchange-Authentication-Results||spf=fail (sender IP is 220.127.116.11) smtp.mailfrom=mydomain.ca; dkim=pass (signature was verified) header.d=mydomain.ca;dmarc=pass action=none header.from=mydomain.ca;|
|9||Received-SPF||Fail (protection.outlook.com: domain of mydomain.ca does not designate 18.104.22.168 as permitted sender) receiver=protection.outlook.com; client-ip=22.214.171.124; helo=mfod-cac1.eml100yul.ctr.sophos.com;|
To visualize this, the flow is something like this;
message sent by us to external domain
Rule to redirect to Sophos
Connector: Outbound emails to Sophos Email
Connector: Outbound emails from Sophos
So my question is, should I be adding the sophos email record (_spf.eml100yul.ctr.sophos.com) to our SPF to mitigate this problem? To me, it shouldn't matter as my domain, which is the final sending domain is passing the SPF check - the failure is happening between Sophos and my O365 tenant, not directly from my domain. I'm not really seeing anything in the docs to state this other than if you're using the mail gateway. Does it apply to mailflow too?
[edited by: Raphael Alganes at 5:18 AM (GMT -7) on 7 Jun 2023]