Analyzing message header
We are in hybrid deployment and all mailboxes are in Exchange online. Our mx record is pointing to our 3rd part spam filter, then sent to our on premise server which again sends to Exchange online. In short it looks like this:
Sender - 3rd part spam filter - Exchange on-premise - Exchange online.
When I analyze message header I see the following in Authentication-Results (1st line of the header):
spf=none (sender IP is 212.212.212.212) smtp.mailfrom=domain.ninja; domain.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;domain.mail.onmicrosoft.com; dmarc=none action=none header.from=domain.ninja;domain.com; dkim=none (message not signed) header.d=none;
Sender IP (212.212.212.212) is our On premise exchange server external address.
smtp.mailfrom=domain.ninja is the domain that sent the message
domain.mail.onmicrosoft.com is our exchange online domain.
Is this by design that our On-premise exchange server will be seen as sender?
If so, then it means if someone is spoofing our domain it will be bypassed since sender ip is in our SPF record?
We are getting more than enough spoofing emails that are directed to our CEO and FInance director and adding SPF record doesn't seem to help.
I know DKIM and DMARC should help better against spoofing, but currently we cannot implement them, since our MX record does not point to EOP.
THanks!