my company has a project of migrating an organizations mail hosting from zimbra to office 365. we added and verified their domain to their office 365 tenant. we have ad connect syncing the ad users to office 365. we setup connectors to forward mail from office 365 users that have migrated to office 365 and users that have not been migrated are routed back to their onsite zimbra server using a group based routing connector. everything was working just fine until this week when customers of our client which btw who’s mail is also hosted by office 365 in their own tenant started having mail coming from the zimbra server users going directly to their junk folder. mail from zimbra is going out directly to their customers office 365 server. we have not even begun to move users off of their zimbra yet. inbound mail delivery is still being delivered to the zimbra server as well as outbound. the spf record are still set for their zimbra server and we have tried both with and without the spf include record for office 365 without resolution. this didnt begin immediately when we added the domain to their tenant, the messages going to junk folder of their customers office 365 mailboxes that is, which again didnt start until almost 2 weeks after the fact.
i found a solution to this issue if anyone is interested. the customer’s IT department had the spf record originally using the ip4 type with the ip of the on-site zimbra server when we started this project. at some point after we had concluded our testing of migrating mailboxes from zimbra to office 365, they had changed their spf record to use the mx type only. we had found information that certainly libraries will fail the spf check when relied on the mx type alone and that was the observed behavior we found after having setup an entire testing environment with a zimbra server and an office 365 tenant that both had the host domain setup in both and recreated the issue with messages going to spam from the zimbra server. we tested all the iterations of the spf record we could think of and thats when we found and verified that exchange online protection would send mail to the junk folder if the mx type was the sole type used. we observed that when using the ip4 type for the spf record to have both the zimbra and office 365 tenant, with its required include type, that the legitimate mail sent to other office 365 users was going directly to junk mail.