Forum Discussion

Copper Contributor

Aug 26, 2025

SPF, DKIM and DMARC bypassed for guest users

I manage a small non-profit using Microsoft 365 Business Basic. Most of the people on our board of directors are added as unlicensed guest users so that they can participate in Teams chats and meetin...

exchange

Guest users

microsoft 365

microsoft 365 admin center

microsoft 365 defender

outlook

VasilMichev

MVP

Aug 26, 2025

Can you share an example NDR/headers?

Guest users do have a matching recipient object (Mail user/Guest mail user) within Exchange Online and so messages will be "resolved" to it first, then send to where the ExternalEmailAddress points at. This however should not result in bypassing SPF and such, unless you have some fancy routing configured, or the message passes through multiple other MTAs before reaching the recipient.

David_Goll

Copper Contributor

Aug 27, 2025

You are correct. I jumped to the wrong conclusion when I thought I saw a pattern. I tried it again with my personal gmail account added as a guest user, and those emails go through. That said, I still have the problem with other gmail addresses bouncing.

The NDR headers:

And here are headers from a message sent to both my test guest user and one of the problematic guest users. The delivery to the former has since bounced.

Any ideas for next steps?