M365, Email Security Mailflow, Outbound SPF failure

Question

Hi, we're fairly new with M365 and Sophos Email Security set up with Mailflow and working fine. 
 Today I had a customer reach out saying that our emails are failing SPF. Examining the headers, this failure is happening when our outgoing email is passed back to us from Sophos for scanning, then sent out to an external domain. Our domain passes SPF, but earlier down the chain it's failing. 
 Header 4 and 5 show the SPF=pass info -- " mydomain.ca" is my obfuscated domain name.

4 
 Authentication-Results 
 spf=pass (sender IP is 40.107.115.49) smtp.mailfrom=mydomain.ca; dkim=pass (signature was verified) header.d=mydomain.ca;dmarc=pass action=none header.from=mydomain.ca;compauth=pass reason=100

5 
 Received-SPF 
 Pass (protection.outlook.com: domain of mydomain.ca designates 40.107.115.49 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.115.49; helo=CAN01-YT3-obe.outbound.protection.outlook.com; pr=C

Header 8 and 9 below show the fail which I'm guessing this client is seeing and their (barracuda) appliance is flagging it.

8 
 X-MS-Exchange-Authentication-Results 
 spf=fail (sender IP is 85.113.88.238) smtp.mailfrom=mydomain.ca; dkim=pass (signature was verified) header.d=mydomain.ca;dmarc=pass action=none header.from=mydomain.ca;

9 
 Received-SPF 
 Fail (protection.outlook.com: domain of mydomain.ca does not designate 85.113.88.238 as permitted sender) receiver=protection.outlook.com; client-ip=85.113.88.238; helo=mfod-cac1.eml100yul.ctr.sophos.com;

To visualize this, the flow is something like this; message sent by us to external domain Rule to redirect to Sophos Connector: Outbound emails to Sophos Email Connector: Outbound emails from Sophos email sent 
 So my question is, should I be adding the sophos email record (_spf.eml100yul.ctr.sophos.com) to our SPF to mitigate this problem? To me, it shouldn't matter as my domain, which is the final sending domain is passing the SPF check - the failure is happening between Sophos and my O365 tenant, not directly from my domain. I'm not really seeing anything in the docs to state this other than if you're using the mail gateway. Does it apply to mailflow too?

Andrew Rolt · Accepted Answer

Hi, thanks for your reply. I did come across those articles, however they're not quite the same as what I'm experiencing. The SPF failures are not within my own system when receiving email, they are happening on sending emails on my customers' systems due to an SPF fail between my M365 domain and Sophos (Mailfow scanning) before it leaves my domain for the recipient. That fail doesn't impede the flow of email for me and is the default setup for Mailflow. IE: email sent - M365 sends to Sophos for scanning - Sophos sends back to M365 if clean - M365 sends email to external recipient. On the receiving side, some appliances are seeing that my email was sent FROM a Sophos mail server and fails SPF. My SPF and MX records list Microsoft. 
 In my own SPF record, I added the Outbound Sophos IP block that matches my region (Canada), and that has stopped the SPF failures between M365 and Sophos for mail scanning (item 8 & 9 above). This shouldn't be needed for this kind of set up, in my opinion.

Raphael Alganes · Answer

Hello there, 
 Good day and thanks for reaching out to Sophos Community, hope you are well 
 Might these Recommended Reads be able to give insight as it seems to be a similar use case: 
 Sophos Email: [Mailflow]: SPF check passes Sophos Email even though the original SPF status is a fail [Sender: M365 hosted domains] 
 Sophos Email: The proper host to do SPF sender checks 
 Kindly let us know how it goes for you. Many thanks for your time and patience and thank you for choosing Sophos 
 Cheers,

M365, Email Security Mailflow, Outbound SPF failure

Top Replies