Forum Discussion
office 365 mail SPF Fail but still delivered
Hello
today i received mail from my organization. i check headers and see that spf failed.
Received-SPF: Fail (protection.outlook.com: domain of mydomain.com does not
designate 67.220.184.98 as permitted sender) receiver=protection.outlook.com;
why spffailed mails normally received?
i check SPF at mxtoolbox and SPF is correctly configured.
7 Replies
Thanks for Geno_C7 for posting a rule solution for this Microsoft Exchange (ME) security hole. Here it is August of 2025 and it's still plaguing some of us. In our case, Microsoft thinks its a clever trick to bypass the outbound Exchange mail connector protocols when the spoofing domain is also hosted on ME. SPF=FAIL? Ignored! The fact that the messages Recieved-SPF says that our domain does not designate the spoofing domain as an allowed sender? Ignored! 🤔 So, for those other Exchange Admin Center admins suffering, unable to stop these spoofed messages, here is the Mail Flow rule that we adapted from Geno_C7's for 2025.
Apply this rule if: the message headers...row begins with Received-SPF. If that row contains '%our domain% does not designate,' then Prepend the subject line with 'Mail Spoof ==> (SPF=FAIL): ' Where %our domain% is our domain name (Conteso.Com for instance) as shown in the message header. The prepended subject line gives ample warning to the intended E-mail recipient to be wary that the message was malicious.
SPF is just one of the measurement for Email security, you may consider DKIM and DMARC as a whole:
Set up SPF to help prevent spoofing - Office 365 | Microsoft Learn
tsula firstly, this mostly depends on the spam filtering policy you have configured. Secondly, if your user has the sender's address added to their safe senders list, or sender address is in contacts + contacts are trusted, the message would skip spam filtering and be delivered to inbox.
If you provided a sample message header, we might be able to tell you more.
Microsoft please explain how this is designed behavior in this day and age?
Sorry, but this is unacceptable!
RNalivaika This is defunct out of the box! The default HAS to be secure and currently it is NOT.
- "Security by design" 🙂
tsula I solved the problem by creating two Transport Rules. The first one reads the "Received-SPF" line in the header information and if it says "SPF=Fail" it sends the message to quarantine. The second one reads the "Authentication-Results" line in the header information and if it says "Fail" sends the email to quarantine. Hope this helps.
Failing SPF will not cause Office 365 to drop a message, at best it will mark it as Junk, but even that wont happen in all scenarios.
