Forum Discussion
RNalivaika
May 04, 2020Iron Contributor
Exchange Online Protection SPF record
Hi, I have received a message sent via Exchange Online host IPv6 "2603:10a6:20b:c0::31". The message was marked as spam because of SPF fail. Subnet "2603:10a6:20b:c0::/64" is not in the list of O365 ...
JohnLBevan
Feb 15, 2024Copper Contributor
I've done a few tests now and think I can explain it...
I see 2603:10b6::/37 IPs show up when I send emails to other mailboxes under our tenant.
However, if I send mails externally (e.g. to a gmail address) I see the IPs listed in the SPF record (e.g. 2a01:111:f403:261b::700).
Similarly, mails sent internally don't include a DKIM selector (header.s=selector1 / header.s=selector2), whislt those sent externally do.
So I think this behaviour may be by design; but (to the best of my Google-fu) I can't find this documented anywhere.
i.e. When mails are sent internally, MS already knows they're valid, so doesn't bother following the normal processes which would allow a mail to be verified via DMARC. But when mails are sent externally it does use an IP covered by SPF and a selector covered by DKIM as expected.
That's my theory though; not a verified fact.
I see 2603:10b6::/37 IPs show up when I send emails to other mailboxes under our tenant.
However, if I send mails externally (e.g. to a gmail address) I see the IPs listed in the SPF record (e.g. 2a01:111:f403:261b::700).
Similarly, mails sent internally don't include a DKIM selector (header.s=selector1 / header.s=selector2), whislt those sent externally do.
So I think this behaviour may be by design; but (to the best of my Google-fu) I can't find this documented anywhere.
i.e. When mails are sent internally, MS already knows they're valid, so doesn't bother following the normal processes which would allow a mail to be verified via DMARC. But when mails are sent externally it does use an IP covered by SPF and a selector covered by DKIM as expected.
That's my theory though; not a verified fact.
JohnLBevan
Feb 22, 2024Copper Contributor
More info on this thread: https://serverfault.com/questions/1154095/spf-spf-protection-outlook-com-is-invalid-for-messages-within-tenant/1154098#1154098
It looks likely that SPF and DKIM are not relevant when the header `X-MS-Exchange-Organization-AuthAs` has value `Internal`.
It looks likely that SPF and DKIM are not relevant when the header `X-MS-Exchange-Organization-AuthAs` has value `Internal`.