Forum Discussion
bart_vermeersch
May 24, 2020Steel Contributor
Two questions on mail headers (CIP & SFV:BLK)
In a hybrid Exchange 2013 - EXO environment (with MX pointing on-prem), I came across two issues:
1. The connecting IP address (CIP) always equals one of the on-prem relay servers (not the original external mailserver). This results in:
- the spf always fails for inbound mails
- because of the connection filter, every mail gets IFV:CAL (The message was allowed through the spam filters because the IP address was specified in an IP Allow list in the connection filter.)
2. When checking user submissions for "Not Junk". We see in the headers SFV:BLK (Filtering was skipped and the message was blocked because it was sent from an address on an individual’s blocked sender list). When checking the Get-MailboxJunkEmailConfiguration the BlockedSendersAndDomains is (already?) empty.
Thank you for helping me out!
- BemmelenPatrickIron ContributorHello Bart,
Hope I can help you with this one, here is goes 😉
1. Could you check if the Hybrid connector on Exchange Online has the option "keep internal Exchange message headers" set to ON?
https://docs.microsoft.com/en-us/previous-versions/exchange-server/exchange-150/dn910994(v=exchg.150)?redirectedfrom=MSDN
Also, do you have a SPF record and does it contain the WAN IP of your Exchange server?
2. Please have a look at this article:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#view-user-submissions-to-microsoft
I think your users submitted the mails directly to Microsoft, with the above view you are able to check if they did and take the required actions (for instance, disable user submissions from and disable the Reports add-in for Outlook).- bart_vermeerschSteel Contributor
BemmelenPatrick Thank you!
1. "Keep internal Exchange message headers" is enabled for the inbound and outbound connector. When checking the mail headers you can see all the hops, but the spf is not checked against the originating mail server but against an internal relay server. If all hops are retained in the mail headers, why/when is the spf not checked against the first server? Our spf is valid (although currently set to "?all").
2. That's were I see those mails. But I found it weird that we see every day at least one user submitting a false positive (not junk) in which we see SFV:BLK . When checking the blocked sender list, the sender is not present (anymore?), was the sender automatically removed from the blocked sender list because the user submitted the mail to MS as not junk?
- BemmelenPatrickIron Contributor1. The SPF is always checked against the last IP before Office365 receives it so it's strange that EXO presumes it's a local IP.
Are these mails being relayed via the Exchange Server from an application or printer for instance?
Could you maybe post a result of a message trace?
2. Yes that could be the case, Microsoft checks the sender based on reputation and other specifications so if these checks pass the sender is considered safe.
What you could do of course is disable the option to submit the mails by your users but that's something I can't decide of course 😉