Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Problem getting emails from Microsoft 365 relay pool

Hi

We have problem getting emails from o365 that comes from ip 40.95.0.0/16 range.

Microsoft calls it relay pool. Its not the in the SPF pool.

Does anyone know what to configure so the emails will not be with spf error?

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-high-risk-delivery-pool-about?view=o365-worldwide

https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors

Anyone?

Shay



Edited TAGs
[edited by: Raphael Alganes at 6:19 AM (GMT -8) on 8 Mar 2024]
Parents Reply Children
  • Hello Shay,

    can you show us one of the SPF errors you get?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Relay pool

    In certain scenarios, messages that are forwarded or relayed via Microsoft 365 are sent using a special relay pool, because the destination shouldn't consider Microsoft 365 as the actual sender. It's important for us to isolate this email traffic, because there are legitimate and invalid scenarios for auto forwarding or relaying email out of Microsoft 365. Similar to the high-risk delivery pool, a separate IP address pool is used for relayed mail. This address pool isn't published because it can change often, and it's not part of published SPF record for Microsoft 365.

    Microsoft 365 needs to verify that the original sender is legitimate so we can confidently deliver the forwarded message.

    The forwarded or relayed message should meet one of the following criteria to avoid using the relay pool:

    • The outbound sender is in an accepted domain.
    • SPF passes when the message comes to Microsoft 365.
    • DKIM on the sender domain passes when the message comes to Microsoft 365.

    You can tell that a message was sent via the relay pool by looking at the outbound server IP (the relay pool is in the 40.95.0.0/16 range).

    In cases where we can authenticate the sender, we use Sender Rewriting Scheme (SRS) to help the recipient email system know that the forwarded message is from a trusted source. You can read more about how that works and what you can do to help make sure the sending domain passes authentication in Sender Rewriting Scheme (SRS) in Office 365.

    For DKIM to work, make sure you enable DKIM for sending domain. For example, fabrikam.com is part of contoso.com and is defined in the accepted domains of the organization. If the message sender is sender@fabrikam.com, DKIM needs to be enabled for fabrikam.com. you can read on how to enable at Use DKIM to validate outbound email sent from your custom domain.

    To add a custom domain, follow the steps in Add a domain to Microsoft 365.

    If the MX record for your domain points to a third party service or an on-premises email server, you should use Enhanced Filtering for Connectors. Enhanced Filtering ensures SPF validation is correct for inbound mail and avoids sending email through the relay pool.

  • Did you follow this guide to avoid sending through the relay pool?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.