Enabled Enhanced Filtering, but EOP still uses my on-prem IP as the source when checking SPF

%3CLINGO-SUB%20id%3D%22lingo-sub-1148922%22%20slang%3D%22en-US%22%3EEnabled%20Enhanced%20Filtering%2C%20but%20EOP%20still%20uses%20my%20on-prem%20IP%20as%20the%20source%20when%20checking%20SPF%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1148922%22%20slang%3D%22en-US%22%3E%3CP%3ELast%20week%2C%20I%20enabled%20the%20Enhanced%20Filtering%20option%20in%20the%20Security%20Center%2C%20giving%20it%202%20IP%20addresses%20that%20are%20the%20public%20addresses%20of%20my%20on-prem%20exchange%20server%20and%20spam%20filter.%26nbsp%3B%20My%20understanding%20is%20that%20it%20should%20ignore%20those%20IPs%20when%20determining%20the%20source%20of%20external%20mail%2C%20and%20use%20the%20next%20external%20hop%20up%20the%20chain%20as%20the%20source%20for%20mail%20filtering%20purposes.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20send%20a%20test%20message%20from%20an%20external%20address%2C%20I%20do%20see%20the%20header%20added%20by%20Enhanced%20Filtering%2C%20indicating%20that%20it%20detected%20the%20real%20source%20server%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EX-MS-Exchange-SkipListedInternetSender%3A%20ip%3D%5B209.85.166.170%5D%3Bdomain%3Dmail-il1-f170.google.com%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EBut%20the%20header%20showing%20the%20SPF%20check%20shows%20a%20failure%2C%20because%20it's%20using%20my%20on-prem%20IP%20instead%20of%20the%20IP%20listed%20in%20that%20SkipListedInternetSender%20header%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EReceived-SPF%3A%20Fail%20(protection.outlook.com%3A%20domain%20of%20OTHERDOMAIN.XYZ%20does%20not%20designate%20MYON.PREM.SERVER.IP%20as%20permitted%20sender)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EHas%20anyone%20else%20here%20enabled%20Enhanced%20Filtering%20successfully%3F%26nbsp%3B%20Does%20EOP%20use%20the%20skiplist%20sender%20as%20the%20source%20IP%20for%20DKIM%20and%20SPF%20checks%20for%20you%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20would%20cause%20the%20behavior%20I'm%20seeing%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1148922%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1180235%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20Enhanced%20Filtering%2C%20but%20EOP%20still%20uses%20my%20on-prem%20IP%20as%20the%20source%20when%20checking%20SPF%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1180235%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20the%20help%20of%20support%2C%20we%20finally%20figured%20out%20what%20the%20problem%20was.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20enhanced%20filtering%20policy%20can%20be%20applied%20to%20specific%20users%2C%20or%20to%20the%20entire%20organization.%26nbsp%3B%20The%20UI%20recommends%20starting%20with%20a%20small%20group%20of%20users%20first.%26nbsp%3B%20I%20had%20entered%20the%20names%20of%20a%20handful%20of%20users%20here%20as%20a%20test%20group.%26nbsp%3B%20The%20trouble%20is%2C%20when%20the%20message%20passes%20through%20our%20on-prem%20exchange%2C%20it%20looks%20at%20the%20recipient's%20account%20and%20sends%20the%20email%20on%20to%20the%20cloud%20addressed%20their%20remote%20routing%20address%20instead%20of%20their%20email%20address.%26nbsp%3B%20When%20EOP%20looks%20at%20the%20messages%2C%20it's%20checking%20that%20remote%20routing%20address%20(e.g.%20%3CA%20href%3D%22mailto%3Ausername%40domain.mail.onmicrosoft.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eusername%40domain.mail.onmicrosoft.com%3C%2FA%3E)%20against%20the%20list%20of%20users%20to%20apply%20enhanced%20filtering%20to%2C%20not%20finding%20a%20match%2C%20and%20thus%20enhanced%20filtering%20is%20not%20applied.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20solution%20is%20to%20enter%20the%20remote%20routing%20address%20of%20each%20user%20in%20the%20exchange%20filtering%20policy%20instead%20of%20their%20name%20or%20email%20address.%26nbsp%3B%20Even%20though%20the%20UI%20does%20appear%20to%20lookup%20the%20user%20name%20from%20an%20email%20address%20entered%2C%20enhanced%20filtering%20doesn't%20check%20against%20all%20of%20that%20user's%20addresses%20to%20determine%20whether%20the%20policy%20applies.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20funny%20that%20this%20oddity%20only%20applies%20when%20in%20a%20testing%20configuration.%26nbsp%3B%20Had%20I%20configured%20the%20policy%20to%20apply%20to%20the%20entire%20organization%2C%20this%20would%20have%20never%20occurred.%26nbsp%3B%26nbsp%3BNow%20that%20the%20solution%20has%20been%20applied%20and%20enhanced%20filtering%20is%20working%20as%20expected%2C%20I'll%20go%20ahead%20and%20enable%20it%20for%20the%20entire%20org%20and%20this%20weird%20behavior%20won't%20be%20relevant%20anymore.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

Last week, I enabled the Enhanced Filtering option in the Security Center, giving it 2 IP addresses that are the public addresses of my on-prem exchange server and spam filter.  My understanding is that it should ignore those IPs when determining the source of external mail, and use the next external hop up the chain as the source for mail filtering purposes.  

 

When I send a test message from an external address, I do see the header added by Enhanced Filtering, indicating that it detected the real source server:

X-MS-Exchange-SkipListedInternetSender: ip=[209.85.166.170];domain=mail-il1-f170.google.com

But the header showing the SPF check shows a failure, because it's using my on-prem IP instead of the IP listed in that SkipListedInternetSender header:

Received-SPF: Fail (protection.outlook.com: domain of OTHERDOMAIN.XYZ does not designate MYON.PREM.SERVER.IP as permitted sender)

Has anyone else here enabled Enhanced Filtering successfully?  Does EOP use the skiplist sender as the source IP for DKIM and SPF checks for you?

 

What would cause the behavior I'm seeing?  

 

1 Reply
Highlighted

With the help of support, we finally figured out what the problem was. 

 

The enhanced filtering policy can be applied to specific users, or to the entire organization.  The UI recommends starting with a small group of users first.  I had entered the names of a handful of users here as a test group.  The trouble is, when the message passes through our on-prem exchange, it looks at the recipient's account and sends the email on to the cloud addressed their remote routing address instead of their email address.  When EOP looks at the messages, it's checking that remote routing address (e.g. username@domain.mail.onmicrosoft.com) against the list of users to apply enhanced filtering to, not finding a match, and thus enhanced filtering is not applied.  

 

The solution is to enter the remote routing address of each user in the exchange filtering policy instead of their name or email address.  Even though the UI does appear to lookup the user name from an email address entered, enhanced filtering doesn't check against all of that user's addresses to determine whether the policy applies. 

 

It's funny that this oddity only applies when in a testing configuration.  Had I configured the policy to apply to the entire organization, this would have never occurred.  Now that the solution has been applied and enhanced filtering is working as expected, I'll go ahead and enable it for the entire org and this weird behavior won't be relevant anymore.