Problem getting emails from Microsoft 365 relay pool

anyone?

Hello Shay,

can you show us one of the SPF errors you get?

In certain scenarios, messages that are forwarded or relayed via Microsoft 365 are sent using a special relay pool, because the destination shouldn't consider Microsoft 365 as the actual sender. It's important for us to isolate this email traffic, because there are legitimate and invalid scenarios for auto forwarding or relaying email out of Microsoft 365. Similar to the high-risk delivery pool, a separate IP address pool is used for relayed mail. This address pool isn't published because it can change often, and it's not part of published SPF record for Microsoft 365.

Microsoft 365 needs to verify that the original sender is legitimate so we can confidently deliver the forwarded message.

The forwarded or relayed message should meet one of the following criteria to avoid using the relay pool:

• The outbound sender is in an accepted domain.
• SPF passes when the message comes to Microsoft 365.
• DKIM on the sender domain passes when the message comes to Microsoft 365.

You can tell that a message was sent via the relay pool by looking at the outbound server IP (the relay pool is in the 40.95.0.0/16 range).

In cases where we can authenticate the sender, we use Sender Rewriting Scheme (SRS) to help the recipient email system know that the forwarded message is from a trusted source. You can read more about how that works and what you can do to help make sure the sending domain passes authentication in Sender Rewriting Scheme (SRS) in Office 365.

For DKIM to work, make sure you enable DKIM for sending domain. For example, fabrikam.com is part of contoso.com and is defined in the accepted domains of the organization. If the message sender is sender@fabrikam.com, DKIM needs to be enabled for fabrikam.com. you can read on how to enable at Use DKIM to validate outbound email sent from your custom domain.

To add a custom domain, follow the steps in Add a domain to Microsoft 365.

If the MX record for your domain points to a third party service or an on-premises email server, you should use Enhanced Filtering for Connectors. Enhanced Filtering ensures SPF validation is correct for inbound mail and avoids sending email through the relay pool.

Did you follow this guide to avoid sending through the relay pool?

Did you follow this guide to avoid sending through the relay pool?