Forum Discussion
Two questions on mail headers (CIP & SFV:BLK)
Hope I can help you with this one, here is goes 😉
1. Could you check if the Hybrid connector on Exchange Online has the option "keep internal Exchange message headers" set to ON?
https://docs.microsoft.com/en-us/previous-versions/exchange-server/exchange-150/dn910994(v=exchg.150)?redirectedfrom=MSDN
Also, do you have a SPF record and does it contain the WAN IP of your Exchange server?
2. Please have a look at this article:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#view-user-submissions-to-microsoft
I think your users submitted the mails directly to Microsoft, with the above view you are able to check if they did and take the required actions (for instance, disable user submissions from and disable the Reports add-in for Outlook).
- bart_vermeerschJun 05, 2020Steel Contributor
BemmelenPatrick Thank you!
1. "Keep internal Exchange message headers" is enabled for the inbound and outbound connector. When checking the mail headers you can see all the hops, but the spf is not checked against the originating mail server but against an internal relay server. If all hops are retained in the mail headers, why/when is the spf not checked against the first server? Our spf is valid (although currently set to "?all").
2. That's were I see those mails. But I found it weird that we see every day at least one user submitting a false positive (not junk) in which we see SFV:BLK . When checking the blocked sender list, the sender is not present (anymore?), was the sender automatically removed from the blocked sender list because the user submitted the mail to MS as not junk?
- BemmelenPatrickJun 06, 2020Iron Contributor1. The SPF is always checked against the last IP before Office365 receives it so it's strange that EXO presumes it's a local IP.
Are these mails being relayed via the Exchange Server from an application or printer for instance?
Could you maybe post a result of a message trace?
2. Yes that could be the case, Microsoft checks the sender based on reputation and other specifications so if these checks pass the sender is considered safe.
What you could do of course is disable the option to submit the mails by your users but that's something I can't decide of course 😉- bart_vermeerschJun 10, 2020Steel Contributor
BemmelenPatrick I anonymized it slightly
What puzzles me most is the spf fail: domain of e.linkedin.com does not designate XX.XX.71.5 as permitted sender, XX.XX.71.5 is a server of ours. Why is spf not checked against the first IP address (199.7.202.92)
Received: from VI1PR09MB4096.eurprd09.prod.outlook.com (2603:10a6:209:90::29)
by AM6PR09MB2792.eurprd09.prod.outlook.com with HTTPS via
AM6P194CA0016.EURP194.PROD.OUTLOOK.COM; Wed, 10 Jun 2020 13:22:02 +0000
Received: from AM6PR08CA0041.eurprd08.prod.outlook.com (2603:10a6:20b:c0::29)
by VI1PR09MB4096.eurprd09.prod.outlook.com (2603:10a6:800:121::8) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Wed, 10 Jun
2020 13:22:00 +0000
Received: from AM5EUR03FT028.eop-EUR03.prod.protection.outlook.com
(2603:10a6:20b:c0:cafe::95) by AM6PR08CA0041.outlook.office365.com
(2603:10a6:20b:c0::29) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.19 via Frontend
Transport; Wed, 10 Jun 2020 13:22:00 +0000
Authentication-Results: spf=fail (sender IP is XX.XX.71.5)
smtp.mailfrom=e.linkedin.com; contoso.com; dkim=pass (signature was verified)
header.d=e.linkedin.com;contoso.com; dmarc=pass action=none
header.from=e.linkedin.com;
Received-SPF: Fail (protection.outlook.com: domain of e.linkedin.com does not
designate XX.XX.71.5 as permitted sender) receiver=protection.outlook.com;
client-ip=XX.XX.71.5; helo=relay1.contoso.com;
Received: from relay1.contoso.com (XX.XX.71.5) by
AM5EUR03FT028.mail.protection.outlook.com (10.152.16.118) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.3088.18 via Frontend Transport; Wed, 10 Jun 2020 13:22:00 +0000
Received: from localhost (mcheck1.contoso.com [XX.XX.71.91])
by relay1.contoso.com (Postfix) with ESMTP id 5E60E7619C
for <emmtom.toms@contoso.com>; Wed, 10 Jun 2020 15:22:00 +0200 (CEST)
X-Virus-Scanned: by Contoso DICT
X-Spam-CMAuthority: v=2.3 cv=Eda2v8uC c=1 sm=1 tr=0
a=407tTOkso+zxEghPF3UieQ==:17 a=KqOhe5OoNmIA:10 a=O76VCmqbo-wA:10
a=nTHF0DUjJn0A:10 a=Xg6hxTJYhxMA:10 a=M51BFTxLslgA:10
a=r77TgQKjGQsHNAKrUKIA:9 a=jU4qhlNgAAAA:8 a=YY1ZcqqrI6xR5oziIx0A:9
a=QEXdDO2ut3YA:10 a=SSmOFEACAAAA:8 a=4F_gcz9cAAAA:8 a=P0CS7o0kAAAA:8
a=g2DXbu_dzxOSWhaP4Y8A:9 a=a1La3gOqBzqfoSXu:21 a=gKO2Hq4RSVkA:10
a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10 a=utKY0mbGk_15_-6maDl2:22
a=xJca28oTcna21abs7k0g:22 a=Sf_sMCSL_WJvxhl3zmRG:22
a=HH7FIXwXL_sUf1zzYxQd:22
Received: from relay1.contoso.com ([XX.XX.71.5])
by localhost (mcheck1.contoso.com [XX.XX.43.40]) (amavisd-new, port 10024)
with ESMTP id 9VyQz8KiaVbs for <emmtom.toms@contoso.com>;
Wed, 10 Jun 2020 15:21:59 +0200 (CEST)
Received: from omp.e.linkedin.com (omp.e.linkedin.com [199.7.202.92])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by relay1.contoso.com (Postfix) with ESMTPS id 41058761D0
for <emmtom.toms@contoso.com>; Wed, 10 Jun 2020 15:21:59 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=linkedin; d=e.linkedin.com;
h=X-CSA-Complaints:MIME-Version:Content-Type:Date:To:From:Reply-To:Subject:
List-Unsubscribe:Message-ID; i=linkedin@e.linkedin.com;
bh=VBYsNAgiDn7YaiIN9cVXM81+g80p3KHLOaF4tKbBfcQ=;
b=FlJXmEzPX/6BGfuuY5NymMAp/uUqFVJufQmDU4e33gwYsb1jE8/zTVhTQdv0ApZzsc6FVzIrTJPu
fPF0cJjRzNyPZqqNTilBCA1Rlvc2fdEaodYbvSsP/NeAOrNI3XGVvMDOFy2U/IIlKBUIpQvEaWxo
5fz57GVjlTRSuBvvCWw=
Received: by omp.e.linkedin.com id hs3f7a2lr0oo for <emmtom.toms@contoso.com>; Wed, 10 Jun 2020 06:21:57 -0700 (envelope-from <linkedin@e.linkedin.com>)
X-CSA-Complaints: whitelist-complaints@eco.de
Content-Type: multipart/mixed; boundary="----msg_border_H19D3aPqbR"
Date: Wed, 10 Jun 2020 06:21:57 -0700
To: <emmtom.toms@contoso.com>
From: =?UTF-8?B?TGlua2VkSW4=?= <linkedin@e.linkedin.com>
Reply-To: =?UTF-8?B?TGlua2VkSW4=?= <donotreply@e.linkedin.com>
Subject: Emma, thanks for being a valued member
Feedback-ID: 50563:15879535:oraclersys
List-Unsubscribe: <mailto:unsubscribe-AQpglLjHJlYQGhEEYGcKT1zfCha0Hrzc09zgRmpHl6t8EHLwjzaSzcT8eDUd3lyTbO6W@imh.rsys5.com?subject=List-Unsubscribe>, <https://e.linkedin.com/pub/optout/UnsubscribeOneStepConfirmAction?YES=true&_ri_=X0Gzc2X%3DAQpglLjHJlYQGhEEYGcKT1zfCha0Hrzc09zgRmpHl6t8EHLwjzaSzcT8eDUd3lyTbO6W&_ei_=EolaGGF4SNMvxFF7KucKuWMuOkJYEwKNUOxYzQb6sxZf7ufcsEW546pF03CPNtzUKuesnJMzUrTXG5yAh9aprvU49emotpO9HvCedfw4omkOffede0.>
X-sgxh1: LuunLLjlQnLLjlkxmnLglQIL
X-rext: 6.interact5.EoGG5EJd2Sx8oHRajXRDF0uiatAlCGaeOrQ1X2CL93KUtP2IwA4
X-cid: linkedin.3752
X-ei: Egbnz3E-LglAP044NUjD3X2Hnhqk1RQC
Require-Recipient-Valid-Since: emmtom.toms@contoso.com; Wed, 8 Apr 2020 19:18:00 -0700
Message-ID: <0.1.21F.3B0.1D63F2A1E020AEE.0@omp.e.linkedin.com>
X-Miltered: at jchkm4 with ID 5EE0DE76.000 by Joe's j-chkmail (http://helpdesk.contoso.com/email/)!
X-j-chkmail-Enveloppe: 5EE0DE76.000 from omp.e.linkedin.com/omp.e.linkedin.com/199.7.202.92/omp.e.linkedin.com/<linkedin@e.linkedin.com>
X-j-chkmail-Score: MSGID : 5EE0DE76.000 on relay1.contoso.com : j-chkmail score : . : R=. U=. O=# B=0.000 -> S=0.083
X-j-chkmail-Status: Ham
Return-Path: linkedin@e.linkedin.com
X-MS-Exchange-Organization-Network-Message-Id: ca920975-ae6a-4b67-5983-08d80d414218
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-Forefront-Antispam-Report: CIP:XX.XX.71.5;CTRY:BE;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:relay1.contoso.com;PTR:relay1.contoso.com;CAT:NONE;SFTY:;SFS:;DIR:INB;SFP:;
X-MS-PublicTrafficType: Email
X-MS-Exchange-Organization-AuthSource: AM5EUR03FT028.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: Contosobe.onmicrosoft.com
X-MS-Office365-Filtering-Correlation-Id: ca920975-ae6a-4b67-5983-08d80d414218
X-MS-TrafficTypeDiagnostic: VI1PR09MB4096:
X-MS-Oob-TLC-OOBClassifiers: OLM:6790;
X-MS-Exchange-Organization-SCL: -1
X-Microsoft-Antispam: BCL:1;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2020 13:22:00.5392
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ca920975-ae6a-4b67-5983-08d80d414218
X-MS-Exchange-CrossTenant-Id: d7811cde-ecef-496c-8f91-a1786241b99c
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d7811cde-ecef-496c-8f91-a1786241b99c;Ip=[XX.XX.71.5];Helo=[relay1.contoso.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR09MB4096
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.6337616
X-MS-Exchange-Processed-By-BccFoldering: 15.20.3088.011
X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;auth:0;dest:I;ENG:(750128)(520011016)(944506458)(944626604);
X-Microsoft-Antispam-Message-Info:
MIME-Version: 1.0