Hybrid Exchange 2016 - SPF record not aligned

%3CLINGO-SUB%20id%3D%22lingo-sub-1398929%22%20slang%3D%22en-US%22%3EHybrid%20Exchange%202016%20-%20SPF%20record%20not%20aligned%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1398929%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20Exchange%202016%20Hybrid%20configuration.%20SPF%20and%20DKIM%20is%20setup.%20We%20use%20DMARC%20for%20monitoring%20only%2C%20not%20for%20rejecting.%26nbsp%3BDKIM%20is%20100%25%2C%20but%20SPF%20is%20only%2029%25%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20spf%20verification%20is%20aligned%20we%20see%20our%20domain%20name.%20But%20when%20it%20is%20not%20aligned%20we%20see%20an%20office365%20mail%20server.%20Example%26nbsp%3B%3CSPAN%3Eeur02-am5-obe.outbound.protection.outlook.com.%3CBR%20%2F%3E%3CBR%20%2F%3EOur%20on%20premise%26nbsp%3Bmail%20servers%26nbsp%3Bdon't%20deliver%20the%20messages%20directly%20to%20recipients%20mail%20server%2C%20they%20are%20forwarded%20to%20office%20365%20and%20then%20delivered%20to%20the%20recipients.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHow%20can%20I%20get%20an%20100%25%20SPF%20alignment%20when%20we%20send%20mails%20from%20on%20premise%26nbsp%3Bor%20from%20office%20365.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20someone%20can%20give%20me%20a%20hint%20where%20to%20look%20for.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1398929%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1401992%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Exchange%202016%20-%20SPF%20record%20not%20aligned%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401992%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78042%22%20target%3D%22_blank%22%3E%40Pascal%20Wenders%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20take%20it%20you%20have%20listed%20your%20on-premises%20equipment%20in%20your%20SPF%20record%20even%20though%20you%20do%20not%20plan%20to%20send%20directly%20from%20it%2C%20and%20that%20you%20have%20then%20tested%20the%20SPF%20record%20with%20a%20third%20party%20such%20as%20Dmarcian%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdmarcian.com%2Fspf-survey%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdmarcian.com%2Fspf-survey%2F%3C%2FA%3E%3C%2FP%3E%3CP%3EIf%20you%20are%20playing%20around%20with%20your%20DNS%20records%20directly%2C%20always%20test%20with%20a%20banked%20or%20minor%20domain%20before%20changing%20the%20principle%20records.%20Set%20your%20TTL%20as%20short%20as%20your%20provider%20will%20permit%20and%20monitor%20propagation%20with%20one%20of%20the%20global%20checkers%20as%20well%20as%20doing%20your%20own%20digs.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.whatsmydns.net%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.whatsmydns.net%2F%3C%2FA%3E%3C%2FP%3E%3CP%3EIf%20you%20have%20to%20ask%20a%20third%20party%20to%20amend%20your%20DNS%20records%2C%20it%20might%20be%20worth%20asking%20them%20%22what%20do%20you%20think%3F%22%20Some%20will%20be%20able%20to%20help%20and%20others%20will%20cheerfully%20publish%20nonsense.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1424346%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Exchange%202016%20-%20SPF%20record%20not%20aligned%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1424346%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78042%22%20target%3D%22_blank%22%3E%40Pascal%20Wenders%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eif%20I%20understand%20correctly%2C%20you%20send%20directly%20to%20internet%20the%20email%20from%20your%20on%20premises%20server%20if%20the%20sender%20mailbox%20in%20onprem%20(the%20spf%20check%20will%20pass)%20and%20directly%20to%20internet%20from%20O365%20if%20the%20mailbox%20is%20in%20the%20cloud%20(the%20spf%20check%20will%20fail).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eif%20this%20is%20your%20scenario%2C%20you%20have%20to%20add%20an%20include%20in%20your%20spf%20record%20with%20spf.protection.outlook.com%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1463276%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Exchange%202016%20-%20SPF%20record%20not%20aligned%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1463276%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F527081%22%20target%3D%22_blank%22%3E%40Pierfish%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ENo%20we%20send%20everything%20thru%20office%20365.%20The%20mails%20from%20our%20onpremise%20mailservers%20deliver%20them%20to%20office%20365%20when%20it%20will%20be%20deliver%20to%20the%20recipient.%3CBR%20%2F%3E%3CBR%20%2F%3ESelector1%20and%202%20are%20defined%20and%20for%20the%20onpremise%20servers%20not.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20it%20than%20necessary%20to%20create%20the%20dkim%20records%20also%20on%20the%20onprem%20exchange%20servers%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We have a Exchange 2016 Hybrid configuration. SPF and DKIM is setup. We use DMARC for monitoring only, not for rejecting. DKIM is 100%, but SPF is only 29%

When spf verification is aligned we see our domain name. But when it is not aligned we see an office365 mail server. Example eur02-am5-obe.outbound.protection.outlook.com.

Our on premise mail servers don't deliver the messages directly to recipients mail server, they are forwarded to office 365 and then delivered to the recipients. 

 

How can I get an 100% SPF alignment when we send mails from on premise or from office 365.

 

I hope someone can give me a hint where to look for.

3 Replies
Highlighted

@Pascal Wenders

I take it you have listed your on-premises equipment in your SPF record even though you do not plan to send directly from it, and that you have then tested the SPF record with a third party such as Dmarcian?

https://dmarcian.com/spf-survey/

If you are playing around with your DNS records directly, always test with a banked or minor domain before changing the principle records. Set your TTL as short as your provider will permit and monitor propagation with one of the global checkers as well as doing your own digs.

https://www.whatsmydns.net/

If you have to ask a third party to amend your DNS records, it might be worth asking them "what do you think?" Some will be able to help and others will cheerfully publish nonsense.   

Highlighted

Hi @Pascal Wenders 

 

if I understand correctly, you send directly to internet the email from your on premises server if the sender mailbox in onprem (the spf check will pass) and directly to internet from O365 if the mailbox is in the cloud (the spf check will fail).

 

if this is your scenario, you have to add an include in your spf record with spf.protection.outlook.com 

Highlighted

@Pierfish 

No we send everything thru office 365. The mails from our onpremise mailservers deliver them to office 365 when it will be deliver to the recipient.

Selector1 and 2 are defined and for the onpremise servers not.

Is it than necessary to create the dkim records also on the onprem exchange servers