@BemmelenPatrick Thank you!

 

1. "Keep internal Exchange message headers" is enabled for the inbound and outbound connector. When checking the mail headers you can see all the hops, but the spf is not checked against the originating mail server but against an internal relay server. If all hops are retained in the mail headers, why/when is the spf not checked against the first server? Our spf is valid (although currently set to "?all").

 

2. That's were I see those mails. But I found it weird that we see every day at least one user submitting a false positive (not junk) in which we see SFV:BLK . When checking the blocked sender list, the sender is not present (anymore?), was the sender automatically removed from the blocked sender list because the user submitted the mail to MS as not junk? 

 

 

1. The SPF is always checked against the last IP before Office365 receives it so it's strange that EXO presumes it's a local IP.
Are these mails being relayed via the Exchange Server from an application or printer for instance?
Could you maybe post a result of a message trace?

2. Yes that could be the case, Microsoft checks the sender based on reputation and other specifications so if these checks pass the sender is considered safe.
What you could do of course is disable the option to submit the mails by your users but that's something I can't decide of course ;)

@BemmelenPatrick I anonymized it slightly

 

What puzzles me most is the spf fail: domain of e.linkedin.com does not designate XX.XX.71.5 as permitted sender, XX.XX.71.5 is a server of ours. Why is spf not checked against the first IP address (199.7.202.92)

 

Received: from VI1PR09MB4096.eurprd09.prod.outlook.com (2603:10a6:209:90::29)
by AM6PR09MB2792.eurprd09.prod.outlook.com with HTTPS via
AM6P194CA0016.EURP194.PROD.OUTLOOK.COM; Wed, 10 Jun 2020 13:22:02 +0000
Received: from AM6PR08CA0041.eurprd08.prod.outlook.com (2603:10a6:20b:c0::29)
by VI1PR09MB4096.eurprd09.prod.outlook.com (2603:10a6:800:121::8) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Wed, 10 Jun
2020 13:22:00 +0000
Received: from AM5EUR03FT028.eop-EUR03.prod.protection.outlook.com
(2603:10a6:20b:c0:cafe::95) by AM6PR08CA0041.outlook.office365.com
(2603:10a6:20b:c0::29) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.19 via Frontend
Transport; Wed, 10 Jun 2020 13:22:00 +0000
Authentication-Results: spf=fail (sender IP is XX.XX.71.5)
smtp.mailfrom=e.linkedin.com; contoso.com; dkim=pass (signature was verified)
header.d=e.linkedin.com;contoso.com; dmarc=pass action=none
header.from=e.linkedin.com;
Received-SPF: Fail (protection.outlook.com: domain of e.linkedin.com does not
designate XX.XX.71.5 as permitted sender) receiver=protection.outlook.com;
client-ip=XX.XX.71.5; helo=relay1.contoso.com;
Received: from relay1.contoso.com (XX.XX.71.5) by
AM5EUR03FT028.mail.protection.outlook.com (10.152.16.118) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.3088.18 via Frontend Transport; Wed, 10 Jun 2020 13:22:00 +0000
Received: from localhost (mcheck1.contoso.com [XX.XX.71.91])
by relay1.contoso.com (Postfix) with ESMTP id 5E60E7619C
for <emmtom.toms@contoso.com>; Wed, 10 Jun 2020 15:22:00 +0200 (CEST)
X-Virus-Scanned: by Contoso DICT
X-Spam-CMAuthority: v=2.3 cv=Eda2v8uC c=1 sm=1 tr=0
a=407tTOkso+zxEghPF3UieQ==:17 a=KqOhe5OoNmIA:10 a=O76VCmqbo-wA:10
a=nTHF0DUjJn0A:10 a=Xg6hxTJYhxMA:10 a=M51BFTxLslgA:10
a=r77TgQKjGQsHNAKrUKIA:9 a=jU4qhlNgAAAA:8 a=YY1ZcqqrI6xR5oziIx0A:9
a=QEXdDO2ut3YA:10 a=SSmOFEACAAAA:8 a=4F_gcz9cAAAA:8 a=P0CS7o0kAAAA:8
a=g2DXbu_dzxOSWhaP4Y8A:9 a=a1La3gOqBzqfoSXu:21 a=gKO2Hq4RSVkA:10
a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10 a=utKY0mbGk_15_-6maDl2:22
a=xJca28oTcna21abs7k0g:22 a=Sf_sMCSL_WJvxhl3zmRG:22
a=HH7FIXwXL_sUf1zzYxQd:22
Received: from relay1.contoso.com ([XX.XX.71.5])
by localhost (mcheck1.contoso.com [XX.XX.43.40]) (amavisd-new, port 10024)
with ESMTP id 9VyQz8KiaVbs for <emmtom.toms@contoso.com>;
Wed, 10 Jun 2020 15:21:59 +0200 (CEST)
Received: from omp.e.linkedin.com (omp.e.linkedin.com [199.7.202.92])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by relay1.contoso.com (Postfix) with ESMTPS id 41058761D0
for <emmtom.toms@contoso.com>; Wed, 10 Jun 2020 15:21:59 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=linkedin; d=e.linkedin.com;
h=X-CSA-Complaints:MIME-Version:Content-Type:Date:To:From:Reply-To:Subject:
List-Unsubscribe:Message-ID; i=linkedin@e.linkedin.com;
bh=VBYsNAgiDn7YaiIN9cVXM81+g80p3KHLOaF4tKbBfcQ=;
b=FlJXmEzPX/6BGfuuY5NymMAp/uUqFVJufQmDU4e33gwYsb1jE8/zTVhTQdv0ApZzsc6FVzIrTJPu
fPF0cJjRzNyPZqqNTilBCA1Rlvc2fdEaodYbvSsP/NeAOrNI3XGVvMDOFy2U/IIlKBUIpQvEaWxo
5fz57GVjlTRSuBvvCWw=
Received: by omp.e.linkedin.com id hs3f7a2lr0oo for <emmtom.toms@contoso.com>; Wed, 10 Jun 2020 06:21:57 -0700 (envelope-from <linkedin@e.linkedin.com>)
X-CSA-Complaints: whitelist-complaints@eco.de
Content-Type: multipart/mixed; boundary="----msg_border_H19D3aPqbR"
Date: Wed, 10 Jun 2020 06:21:57 -0700
To: <emmtom.toms@contoso.com>
From: =?UTF-8?B?TGlua2VkSW4=?= <linkedin@e.linkedin.com>
Reply-To: =?UTF-8?B?TGlua2VkSW4=?= <donotreply@e.linkedin.com>
Subject: Emma, thanks for being a valued member
Feedback-ID: 50563:15879535:oraclersys
List-Unsubscribe: <mailto:unsubscribe-AQpglLjHJlYQGhEEYGcKT1zfCha0Hrzc09zgRmpHl6t8EHLwjzaSzcT8eDUd3lyTbO6W@imh.rsys5.com?subject=List-Unsubscribe>, <https://e.linkedin.com/pub/optout/UnsubscribeOneStepConfirmAction?YES=true&_ri_=X0Gzc2X%3DAQpglLjHJl....>
X-sgxh1: LuunLLjlQnLLjlkxmnLglQIL
X-rext: 6.interact5.EoGG5EJd2Sx8oHRajXRDF0uiatAlCGaeOrQ1X2CL93KUtP2IwA4
X-cid: linkedin.3752
X-ei: Egbnz3E-LglAP044NUjD3X2Hnhqk1RQC
Require-Recipient-Valid-Since: emmtom.toms@contoso.com; Wed, 8 Apr 2020 19:18:00 -0700
Message-ID: <0.1.21F.3B0.1D63F2A1E020AEE.0@omp.e.linkedin.com>
X-Miltered: at jchkm4 with ID 5EE0DE76.000 by Joe's j-chkmail (http://helpdesk.contoso.com/email/)!
X-j-chkmail-Enveloppe: 5EE0DE76.000 from omp.e.linkedin.com/omp.e.linkedin.com/199.7.202.92/omp.e.linkedin.com/<linkedin@e.linkedin.com>
X-j-chkmail-Score: MSGID : 5EE0DE76.000 on relay1.contoso.com : j-chkmail score : . : R=. U=. O=# B=0.000 -> S=0.083
X-j-chkmail-Status: Ham
Return-Path: linkedin@e.linkedin.com
X-MS-Exchange-Organization-Network-Message-Id: ca920975-ae6a-4b67-5983-08d80d414218
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-Forefront-Antispam-Report: CIP:XX.XX.71.5;CTRY:BE;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:relay1.contoso.com;PTR:relay1.contoso.com;CAT:NONE;SFTY:;SFS:;DIR:INB;SFP:;
X-MS-PublicTrafficType: Email
X-MS-Exchange-Organization-AuthSource: AM5EUR03FT028.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: Contosobe.onmicrosoft.com
X-MS-Office365-Filtering-Correlation-Id: ca920975-ae6a-4b67-5983-08d80d414218
X-MS-TrafficTypeDiagnostic: VI1PR09MB4096:
X-MS-Oob-TLC-OOBClassifiers: OLM:6790;
X-MS-Exchange-Organization-SCL: -1
X-Microsoft-Antispam: BCL:1;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2020 13:22:00.5392
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ca920975-ae6a-4b67-5983-08d80d414218
X-MS-Exchange-CrossTenant-Id: d7811cde-ecef-496c-8f91-a1786241b99c
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d7811cde-ecef-496c-8f91-a1786241b99c;Ip=[XX.XX.71.5];Helo=[relay1.contoso.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR09MB4096
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.6337616
X-MS-Exchange-Processed-By-BccFoldering: 15.20.3088.011
X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;auth:0;dest:I;ENG:(750128)(520011016)(944506458)(944626604);
X-Microsoft-Antispam-Message-Info:
MIME-Version: 1.0

Could you check if the user exists in Exchange Online with the correct DOMAIN.mail.onmicrosoft.com alias?
And if the user exists in the local Exchange server as a Remote Mailbox?
It looks as if the Exchange does forward the mail but doesn't see the mailbox as a Hybrid mailbox for some sort of reason..
Because the Exchange server is the last hop, Office 365 will check the SPF of the senders domain (linkedin.com) as the originating domain.

Also to make sure, did you run the latest version of the HCW and do you have the latest CU update installed on your Exchange server?