Exchange auto forward to external e-mail, sometimes it fails

Copper Contributor

Hi community

 

I have set up a forwarding rule on a shared mailbox, which forwards all mails to an external email address. This works i would say 95% of the time, but 5% of the times it returns an: email failed delivery notification.

I've got the message-trace below:

My guess after reviewing it, is that it is failing SPF, since the forwarded mail is forwarded through mail-servers whom are not allowed to be sending emails on the original domains behalf. Is this assumption right and how would I go about fixing it?

Ive replaced all domain names in the error message below.

 

Thank you, kind regards.

´´´

Resent-From: <email address removed for privacy reasons>

Received: from DB9PR01MB10268.eurprd01.prod.exchangelabs.com

 (2603:10a6:10:301::14) by AS4PR01MB9231.eurprd01.prod.exchangelabs.com

 (2603:10a6:20b:4ee::9) with Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6768.25; Wed, 6 Sep

 2023 20:12:33 +0000

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;

 b=AVvnruxlEFqpXnmGqN5uLDsCYphtpM1RPR3qvhZkIROTQ71zwsHP8FHtejFFKw+nNpSQAk9WPR2nQgtOyQ2P8z/jb55LP7L2g7sp4yxmb7mg4Te7xqqJQ/7oKdCbccwUN1maZCmcyCDDcq2atOSUcGRmxi25nnGQwDIY756gc2xwJvy+Pjvm0pAVP5b7jjewDotu2NHOGoyH3/O/3DctWVShuR2wRwh57gL/qzDHi5kk/PL6ECVAUD1ils/ZuEqpWaEOIfDZY71vLDDeYBUi6Fg+M+o1/Ha4fqLnVYm7YvJLgt8NWLaQ/bsCjP8heX86Re1tRzwFtvYNp2Ogi4sQIw==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

 s=arcselector9901;

 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;

 bh=gvpa9KZ3WSnps3qzoO5lksOOBe3sGT3HuIPJ1ftksYs=;

 b=EKw5wnK0L3EvAjXgY6I2/YOIjf+5YsrZHrVisoGnhdCvNqe+MQVC9sjxWjfI2lMhpOQj0ep5He56ZuAsyez8eIsOC94WWG0ou6aInj5Q0tk5B4dQIEPqckE5MDd9+S1jkHWsZevfTeWkc8CmY/FZRHXPCWVu4WL2WV3JIQD1H3G2X6i8Z9RB4vmRhsdODP4n/803orKnIRNhwt21mrKbS0EWoDiBNaznLFd+gWMp3PSO9/ZsKYk5s+UbVlkz/1EAMbvKpEjlt1Yl87iijqiiHjfcLGN6NBSQm31T6YcE3Ro/ALD4mLq6a+Nhv/rOITa82tDHPvwULY9o1v85jrX7HQ==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is

 20.50.183.144) smtp.rcpttodomain=example.com smtp.mailfrom=example.com; dmarc=fail

 (p=quarantine sp=quarantine pct=100) action=quarantine header.from=example.com;

 dkim=none (message not signed); arc=none (0)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

 d=example.onmicrosoft.com; s=selector2-example-onmicrosoft-com;

 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

 bh=gvpa9KZ3WSnps3qzoO5lksOOBe3sGT3HuIPJ1ftksYs=;

 b=S9qS6nEl3NEkfv8FZQQLgUHl1uDHtF42tgcMMKzEcZ4JT0LjT7efeTiHAvUejp2+kwm0mdAPd0AAniAfD5aWuJhsmOKS2bYWR4fh3VyzcMAyiwxEc45Af4gi4qxLDZMhslUroEJed277/rgjJKWAtuPhPjzRvJ7h3mTUVAMFWcM=

Resent-From: < email address removed for privacy reasons >

Received: from AS9PR06CA0757.eurprd06.prod.outlook.com (2603:10a6:20b:484::10)

 by DB9PR01MB10268.eurprd01.prod.exchangelabs.com (2603:10a6:10:301::14) with

 Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.16; Wed, 6 Sep

 2023 08:05:04 +0000

Received: from AM2PEPF0001C70B.eurprd05.prod.outlook.com

 (2603:10a6:20b:484:cafe::b7) by AS9PR06CA0757.outlook.office365.com

 (2603:10a6:20b:484::10) with Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.34 via Frontend

 Transport; Wed, 6 Sep 2023 08:05:04 +0000

Authentication-Results: spf=fail (sender IP is 20.50.183.144)

 smtp.mailfrom=example.com; dkim=none (message not signed)

 header.d=none;dmarc=fail action=quarantine header.from=example.com;

Received-SPF: Fail (protection.outlook.com: domain of example.com does not

 designate 20.50.183.144 as permitted sender) receiver=protection.outlook.com;

 client-ip=20.50.183.144; helo=eu-esec-02.heimdalsecurity.com;

Received: from eu-esec-02.heimdalsecurity.com (20.50.183.144) by

 AM2PEPF0001C70B.mail.protection.outlook.com (10.167.16.199) with Microsoft

 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

 15.20.6768.25 via Frontend Transport; Wed, 6 Sep 2023 08:05:04 +0000

Authentication-Results-Original: halon-node2.esf-we-priv.heimdalsecurity.com;

   dmarc=pass header.from=example.com;   spf=pass smtp.mailfrom=example.com

 smtp.remote-ip=205.220.185.240;

X-HeimdalSecurity-TLS-Received: TLSv1.2 with cipher

 ECDHE-RSA-AES256-GCM-SHA384 (256 bits)

Received: from mx08-00348201.pphosted.com (unknown [205.220.185.240]) by

 halon-node2.esf-we-priv.heimdalsecurity.com with TLSv1.2 with cipher

 ECDHE-RSA-AES256-GCM-SHA384 (256 bits); Wed, 06 Sep 2023 08:04:16 +0000 (UTC)

X-HeimdalSecurity-ILT: 1693987456.639755

X-HeimdalSecurity-ID: f99321a1-4c8b-11ee-bb0e-000d3aac3d93-node2.esf-we

Received: from pps.filterd (m0281615.ppops.net [127.0.0.1])

        by mx08-00348201.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 3866UPev004006

        for < email address removed for privacy reasons >; Wed, 6 Sep 2023 08:04:15 GMT

Received: from gbahes518.example.example.com ([164.39.122.169])

        by mx08-00348201.pphosted.com (PPS) with ESMTP id 3sutc9j38q-13

        for < email address removed for privacy reasons >; Wed, 06 Sep 2023 08:04:15 +0000 (GMT)

Received: from GBAHES984 ([164.39.11.240])

          by gbahes518. example.example.com(IBM Domino Release 9.0.1FP10 HF66)

          with ESMTP id 2023090609041469-380942 ;

          Wed, 6 Sep 2023 09:04:14 +0100

MIME-Version: 1.0

From: eInvoicing < email address removed for privacy reasons >

To: email address removed for privacy reasons

Date: 6 Sep 2023 09:04:15 +0100

Subject: companyName - eInvoicing faktura

X-MIMETrack: Itemize by SMTP Server on GBAHES518/CORP/TPG(Release 9.0.1FP10 HF66|February

 09, 2018) at 09/06/2023 09:04:14 AM,

        Serialize by Router on GBAHES518/CORP/TPG(Release 9.0.1FP10 HF66|February

 09, 2018) at 09/06/2023 09:04:15 AM

Message-ID: <email address removed for privacy reasons>

Content-Type: multipart/mixed;

 boundary=--boundary_272156_338a8692-8db1-492d-9312-1ae69dffd4c4

X-Proofpoint-ORIG-GUID: n3cNTezMENHC2MNiZDRjhUD6otzLjr3k

X-Proofpoint-GUID: n3cNTezMENHC2MNiZDRjhUD6otzLjr3k

Return-Path: email address removed for privacy reasons

X-EOPAttributedMessage: 0

X-EOPTenantAttributedMessage: bf9f94cb-621c-4c1d-8b78-103b6e6749f9:0

X-MS-PublicTrafficType: Email

X-MS-TrafficTypeDiagnostic:

        AM2PEPF0001C70B:EE_|DB9PR01MB10268:EE_|AS4PR01MB9231:EE_

X-MS-Office365-Filtering-Correlation-Id: 99026772-6da4-4dd1-2915-08dbaeaffa59

X-LD-Processed: bf9f94cb-621c-4c1d-8b78-103b6e6749f9,ExtFwd,ExtFwd

X-MS-Exchange-SenderADCheck: 2

X-MS-Exchange-AntiSpam-Relay: 1

X-Microsoft-Antispam: BCL:0;

X-Microsoft-Antispam-Message-Info: rJf+tthE0krKr6MgUDVYZfLnSLNByjrfDTdf9KPa6FuhtQml7Si8bbG3fxIl/+GkTI0wi3UbcOox5FOmCAcrV8i2wzH/SY60dSXT/pUp9MLrR30ZDBBZRkCTriAjjdo49aKQQS5r/kTQG3dyYg/mZbYT7j/BGsGshK0dqERjA+KtMIdBmhi8coAwmzMd4qNij/rP97JjHFCZwzgnQpLwrxJ0yx982oxSOEAJ/KeaX/9GRkfXe1qSJ82ob5v8FZzLPQm5t2yThfLq0t9xgvmm3GQSIBUxibzZuZcZgJht3XmS8TWJgjqxXUd6kW1wWmx4gJbWBSoL5wN/sONzFyXDRPcb4i+YAOpAcR54bRuNxWxdL5grBBm+ni4TqZBrGHRYCDWYW+Spt8WZl2ewHMCeCMicpGsBl13H274/QOuGNQJi0Zp9S11yTqJfMn0xS9OuVDsHwLj2nQxZH9rnkof7Fy2D9KcS1pS0rEr8WXPdKH8DKQJIUyjlcVFN0aVah9Fyf9ikdAKF0atUIG4W7Rx2A1goWoSAknJgJGME8EJR1IOCi9Y4fxExp8lLA2I+tEDO2yoH0cvnm/b8Ohs2Di3OKvIQx4uoT+9VPk58OlHd6cnVIM0hAMFUGowGJJJOL2vyBET8bxozGn8/rR8KzFa09g==

X-Forefront-Antispam-Report: CIP:20.50.183.144;CTRY:NL;LANG:da;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:eu-esec-02.heimdalsecurity.com;PTR:eu-esec-01.heimdalsecurity.com;CAT:NONE;SFS:(13230031)(39840400004)(136003)(346002)(396003)(376002)(61400799006)(451199024)(48200799006)(356005)(336012)(498600001)(10310500001)(7636003)(966005)(83380400001)(15974865002)(86362001)(66574015)(10290500003)(956004)(2616005)(26005)(33964004)(68406010)(316002)(70586007)(36756003)(33656002)(2906002)(5660300002)(34206002)(8676002)(17046004);DIR:OUT;SFP:1022;

X-MS-Exchange-ForwardingLoop: email address removed for privacy reasons;bf9f94cb-621c-4c1d-8b78-103b6e6749f9

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Sep 2023 08:05:04.4620

 (UTC)

X-MS-Exchange-CrossTenant-Network-Message-Id: 99026772-6da4-4dd1-2915-08dbaeaffa59

X-MS-Exchange-CrossTenant-Id: bf9f94cb-621c-4c1d-8b78-103b6e6749f9

X-MS-Exchange-CrossTenant-AuthSource: AM2PEPF0001C70B.eurprd05.prod.outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-FromEntityHeader: Internet

X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR01MB10268

X-MS-Exchange-ForwardingLoop:

        email address removed for privacy reasons;bf9f94cb-621c-4c1d-8b78-103b6e6749f9

X-OriginatorOrg: example.com

´´´

 

4 Replies

Hi @Kasperk1180 - Would you be able to share the NDR message you received by redacting the PII info?

 

Regards

Dhruva

@Dhruva_Kudva 

 

Hi

 

Thanks for the reply!

Just to be sure, you want the full "Not Delivered Response" with the PII removed, of course.

 

Kind regards

Non Delivered Report*
Yes, that's correct.