Mailflow: SPF check passes Sophos Email eventhough the original SPF status is a fail [Sender: M365 hosted domains]

Hi Everyone!

I have just encountered a case where a customer have Mailflow mode (as opposed to Gateway mode) where in the sender domain actually have a failed SPF result but was let through in Sophos Email's SPF checking (Action: quarantine)

Upon analyzing this behavior, I found that the sender domain is hosted within the M365 environment and that the SPF checking in the recipient M365 is disabled.

So, looking at how Sophos Email's Mailflow mode versus Gateway mode setup works, this behavior makes sense. 

Here's a play by play of what happened:  (I am using 'senderdomain.com' as an example only)

1. An email was sent from senderdomain.com and received by M365. SPF checking is disabled in M365 but enabled in Sophos Email with action: Quarantine.
2. SPF status shows "spf=fail" in the M365 because the originating IP address is not part of senderdomain.com's SPF record. But since SPF checking is disabled in the M365 environment the email was let through to the Sophos Email (next hop).
3. Sophos Email sees that the sender domain as 'senderdomain.com' and looks at the SPF record of that domain. Since Sophos Email sees an M365's IP address handing the email over to it, the SPF check will have an SPF status of 'spf=pass' so will then get to the recipient user.

If you want to know more on how SPF works and which server should proper SPF check be done, please go to my other Recommend Reads link below:

https://community.sophos.com/sophos-email/f/recommended-reads/137260/sophos-email-the-proper-host-to-do-spf-sender-checks

What to do

The current recommendation for now (as I am bringing this to our development's attention) is to enable SPF checking in the M365 environment. This is specifically recommended to defend against envelope-from spoofing of domains that are hosted within M365.

correction on #3
[edited by: josepalad at 11:16 AM (GMT -7) on 15 Mar 2023]