Exchange Online Protection SPF record

%3CLINGO-SUB%20id%3D%22lingo-sub-1358371%22%20slang%3D%22en-US%22%3EExchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358371%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20have%20received%20a%20message%20sent%20via%20Exchange%20Online%20host%20IPv6%20%222603%3A10a6%3A20b%3Ac0%3A%3A31%22.%20The%20message%20was%20marked%20as%20spam%20because%20of%20SPF%20fail.%20Subnet%20%22%3CFONT%3E2603%3A10a6%3A20b%3Ac0%3A%3A%2F64%3C%2FFONT%3E%22%20is%20not%20in%20the%20list%20of%20O365%20servers%20Microsoft%20provides%3A%26nbsp%3B%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Furls-and-ip-address-ranges%23exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Furls-and-ip-address-ranges%23exchange-online%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3EI%20see%20this%20type%20of%20thing%20happening%20quite%20often%2C%20both%20with%20IPv4%20and%20IPv6%20hosts%20in%20Exchange%20Online%20%2C%20with%20messages%20sent%20by%20legit%20senders%20via%20Exchange%20Online.%20What%20would%20be%20the%20right%20procedure%20to%20deal%20with%20this%3F%20more%20than%20registering%20a%20case%20in%20O365%20admin%20portal..%20Thanks%2C%20Ruslan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1358371%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358631%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358631%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366140%22%20target%3D%22_blank%22%3E%40RNalivaika%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20think%20these%20messages%20are%20being%20sent%20by%20legit%20Exchange%20Online%20senders%2C%20then%20I%20would%20say%20it%20is%20the%20senders%20responsibility%20to%20check%20and%20modify%20their%20SPF%20records%20accordingly%20to%20ensure%20all%20legitimate%20entries%20are%20included.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1360504%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20Protection%20SPF%20record%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1360504%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3Esender's%20SPF%20is%20OK%3C%2FP%3E%3CP%3E%22v%3Dspf1%20include%3Aspf.protection.outlook.com%20-all%22%3C%2FP%3E%3CP%3Ebut%20the%20IP%20of%20the%20exchange%20online%20transport%20server%20used%20was%20not%20in%20the%20list%20of%20host%20in%20spf.protection.outlook.com%20%2C%20message%20header%20states%20%22protection.outlook.com%20does%20not%20designate%20'%3CEM%3Esample%20ip%20here%3C%2FEM%3E'%20as%20permitted%20sender%22.%20BR%2C%20Ruslan%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi, I have received a message sent via Exchange Online host IPv6 "2603:10a6:20b:c0::31". The message was marked as spam because of SPF fail. Subnet "2603:10a6:20b:c0::/64" is not in the list of O365 servers Microsoft provides: https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#exchange-online

I see this type of thing happening quite often, both with IPv4 and IPv6 hosts in Exchange Online , with messages sent by legit senders via Exchange Online. What would be the right procedure to deal with this? more than registering a case in O365 admin portal.. Thanks, Ruslan

2 Replies
Highlighted

@RNalivaika 

 

If you think these messages are being sent by legit Exchange Online senders, then I would say it is the senders responsibility to check and modify their SPF records accordingly to ensure all legitimate entries are included.

Highlighted

@PeterRisingsender's SPF is OK

"v=spf1 include:spf.protection.outlook.com -all"

but the IP of the exchange online transport server used was not in the list of host in spf.protection.outlook.com , message header states "protection.outlook.com does not designate 'sample ip here' as permitted sender". BR, Ruslan