Exchange Online Protection SPF record

%3CLINGO-SUB%20id%3D%22lingo-sub-1358371%22%20slang%3D%22en-US%22%3EExchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358371%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20have%20received%20a%20message%20sent%20via%20Exchange%20Online%20host%20IPv6%20%222603%3A10a6%3A20b%3Ac0%3A%3A31%22.%20The%20message%20was%20marked%20as%20spam%20because%20of%20SPF%20fail.%20Subnet%20%22%3CFONT%3E2603%3A10a6%3A20b%3Ac0%3A%3A%2F64%3C%2FFONT%3E%22%20is%20not%20in%20the%20list%20of%20O365%20servers%20Microsoft%20provides%3A%26nbsp%3B%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Furls-and-ip-address-ranges%23exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Furls-and-ip-address-ranges%23exchange-online%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3EI%20see%20this%20type%20of%20thing%20happening%20quite%20often%2C%20both%20with%20IPv4%20and%20IPv6%20hosts%20in%20Exchange%20Online%20%2C%20with%20messages%20sent%20by%20legit%20senders%20via%20Exchange%20Online.%20What%20would%20be%20the%20right%20procedure%20to%20deal%20with%20this%3F%20more%20than%20registering%20a%20case%20in%20O365%20admin%20portal..%20Thanks%2C%20Ruslan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1358371%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358631%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358631%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366140%22%20target%3D%22_blank%22%3E%40RNalivaika%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20think%20these%20messages%20are%20being%20sent%20by%20legit%20Exchange%20Online%20senders%2C%20then%20I%20would%20say%20it%20is%20the%20senders%20responsibility%20to%20check%20and%20modify%20their%20SPF%20records%20accordingly%20to%20ensure%20all%20legitimate%20entries%20are%20included.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1360504%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1360504%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3Esender's%20SPF%20is%20OK%3C%2FP%3E%3CP%3E%22v%3Dspf1%20include%3Aspf.protection.outlook.com%20-all%22%3C%2FP%3E%3CP%3Ebut%20the%20IP%20of%20the%20exchange%20online%20transport%20server%20used%20was%20not%20in%20the%20list%20of%20host%20in%20spf.protection.outlook.com%20%2C%20message%20header%20states%20%22protection.outlook.com%20does%20not%20designate%20'%3CEM%3Esample%20ip%20here%3C%2FEM%3E'%20as%20permitted%20sender%22.%20BR%2C%20Ruslan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2050032%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2050032%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366140%22%20target%3D%22_blank%22%3E%40RNalivaika%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20facing%20the%20same%20issue%20in%20certain%20circumstances.%20Did%20you%20happen%20to%20find%20a%20solution%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2064769%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2064769%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F651226%22%20target%3D%22_blank%22%3E%40Patrick_Tippner%3C%2FA%3E%26nbsp%3Bno%2C%20sadly%2C%20i%20have%20not%20found%20any%20solution%20or%20explanation%20to%20this..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093519%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093519%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366140%22%20target%3D%22_blank%22%3E%40RNalivaika%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EI%20have%20the%20same%20issue.%20Last%20problematic%20mail%20was%20sent%20from%26nbsp%3B%3CSPAN%3E2603%3A10a6%3A20b%3A1ec%3A%3A22%2C%20that%20is%20not%20included%20in%26nbsp%3Bspf.protection.outlook.com%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093522%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093522%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291351%22%20target%3D%22_blank%22%3E%40error404%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366140%22%20target%3D%22_blank%22%3E%40RNalivaika%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EDid%20you%20happen%20to%20move%20your%20core%20customer%20data%20to%20another%20geolocation%20lately%3F%20I%20believe%20that%20this%20might%20be%20related%20...%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fde-de%2Fmicrosoft-365%2Fenterprise%2Frequest-your-data-move%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAnfordern%20der%20Datenverschiebung%20-%20Microsoft%20365%20Enterprise%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2094278%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2094278%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F651226%22%20target%3D%22_blank%22%3E%40Patrick_Tippner%3C%2FA%3E%26nbsp%3BLooks%20like%20that%20is%20not%20related.%3C%2FP%3E%3CP%3EI%20am%20using%20as%20SPF%20include%3Aspf.protection.outlook.com%2C%20most%20of%20e-mails%20go%20with%20corrct%20ip%20adresses%2C%20but%20few%20are%20using%20incorrect%20ones.%3C%2FP%3E%3CP%3EAnother%20one%20record%20i%20found%20is%26nbsp%3Bspf.protection.outlook.de%20that%20is%20related%20only%20to%20Germany%2C%20but%20our%20tenant%20have%20nothing%20to%20do%20with%20Gernany%2C%20also%20those%20few%20e-mails%20are%20never%20sent%20from%20those%20IPs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2097697%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2097697%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F651226%22%20target%3D%22_blank%22%3E%40Patrick_Tippner%3C%2FA%3E%26nbsp%3BYes%2C%20we%20did%20request%20geo%20move%20for%20the%20tenant%20in%20question.%20That%20might%20be%20related%2C%20but%20I%20don't%20think%20we%20have%20any%20way%20to%20test%20and%20confirm%20it.%20R-%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi, I have received a message sent via Exchange Online host IPv6 "2603:10a6:20b:c0::31". The message was marked as spam because of SPF fail. Subnet "2603:10a6:20b:c0::/64" is not in the list of O365 servers Microsoft provides: https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#exchange-online

I see this type of thing happening quite often, both with IPv4 and IPv6 hosts in Exchange Online , with messages sent by legit senders via Exchange Online. What would be the right procedure to deal with this? more than registering a case in O365 admin portal.. Thanks, Ruslan

8 Replies

@RNalivaika 

 

If you think these messages are being sent by legit Exchange Online senders, then I would say it is the senders responsibility to check and modify their SPF records accordingly to ensure all legitimate entries are included.

@PeterRisingsender's SPF is OK

"v=spf1 include:spf.protection.outlook.com -all"

but the IP of the exchange online transport server used was not in the list of host in spf.protection.outlook.com , message header states "protection.outlook.com does not designate 'sample ip here' as permitted sender". BR, Ruslan

@RNalivaika 

I'm facing the same issue in certain circumstances. Did you happen to find a solution for this?

@Patrick_Tippner no, sadly, i have not found any solution or explanation to this..

@RNalivaika 
I have the same issue. Last problematic mail was sent from 2603:10a6:20b:1ec::22, that is not included in spf.protection.outlook.com

@error404 @RNalivaika @PeterRising 

Did you happen to move your core customer data to another geolocation lately? I believe that this might be related ...


Anfordern der Datenverschiebung - Microsoft 365 Enterprise | Microsoft Docs

@Patrick_Tippner Looks like that is not related.

I am using as SPF include:spf.protection.outlook.com, most of e-mails go with corrct ip adresses, but few are using incorrect ones.

Another one record i found is spf.protection.outlook.de that is related only to Germany, but our tenant have nothing to do with Gernany, also those few e-mails are never sent from those IPs.

@Patrick_Tippner Yes, we did request geo move for the tenant in question. That might be related, but I don't think we have any way to test and confirm it. R-