3CX DLL-Sideloading attack: What you need to know
I have just encountered a case where a customer have Mailflow mode (as opposed to Gateway mode) where in the sender domain actually have a failed SPF result but was let through in Sophos Email's SPF checking (Action: quarantine)
Upon analyzing this behavior, I found that the sender domain is hosted within the M365 environment and that the SPF checking in the recipient M365 is disabled.
So, looking at how Sophos Email's Mailflow mode versus Gateway mode setup works, this behavior makes sense.
Here's a play by play of what happened: (I am using 'senderdomain.com' as an example only)
If you want to know more on how SPF works and which server should proper SPF check be done, please go to my other Recommend Reads link below:
What to do
The current recommendation for now (as I am bringing this to our development's attention) is to enable SPF checking in the M365 environment. This is specifically recommended to defend against envelope-from spoofing of domains that are hosted within M365.