Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email: [Mailflow]: SPF check passes Sophos Email even though the original SPF status is a fail [Sender: M365 hosted domains]

Hi Everyone!

I have just encountered a case where a customer have Mailflow mode (as opposed to Gateway mode) where in the sender domain actually have a failed SPF result but was let through in Sophos Email's SPF checking (Action: quarantine)

Upon analyzing this behavior, I found that the sender domain is hosted within the M365 environment and that the SPF checking in the recipient M365 is disabled.

So, looking at how Sophos Email's Mailflow mode versus Gateway mode setup works, this behavior makes sense. 

Here's a play by play of what happened:  (I am using 'senderdomain.com' as an example only)

  1. An email was sent from senderdomain.com and received by M365. SPF checking is disabled in M365 but enabled in Sophos Email with action: Quarantine.
  2. SPF status shows "spf=fail" in the M365 because the originating IP address is not part of senderdomain.com's SPF record. But since SPF checking is disabled in the M365 environment the email was let through to the Sophos Email (next hop).
  3. Sophos Email sees that the sender domain as 'senderdomain.com' and looks at the SPF record of that domain. Since Sophos Email sees an M365's IP address handing the email over to it, the SPF check will have an SPF status of 'spf=pass' so will then get to the recipient user.

If you want to know more on how SPF works and which server should proper SPF check be done, please go to my other Recommend Reads link below:

https://community.sophos.com/sophos-email/f/recommended-reads/137260/sophos-email-the-proper-host-to-do-spf-sender-checks

What to do

The current recommendation for now (as I am bringing this to our development's attention) is to enable SPF checking in the M365 environment. This is specifically recommended to defend against envelope-from spoofing of domains that are hosted within M365.

UPDATE: (Feb 23 2024)
Sophos Email Mailflow now just follows what the edge server sees. So since M365 is the edge server (the server that accepted the email from the sender server directly), if the SPF result in M365 is softfail then Sophos Email will have a Softfail result as well. If its a hardfail in M365, then it would be a hardfail in Sophos Email.
Further, Sophos Email also copies the original IP address of the sender that was detected by M365. Evidence of this would be in the Message Details, you will see the originating sender IP there and not an M365 IP address. This indicates to us that any determination of Sophos Email is applied to that IP address and not M365's which is the one that passed the email to it.



Just added new info to correct expectations when it comes to Sophos Email's Mailflow mode and SPF checking.
[edited by: josepalad at 10:48 AM (GMT -8) on 23 Feb 2024]