Correct SPF

It would be useful to see the headers from one of the affected messages. Redact any sensitive information beforehand.

We encountered this fun problem too. Messages forward from one of our Tenants to another just get dumped as spam.

What have we done wrong you may ask?

Well it appears that the sending M365 service is using 40.95.78.85 as its address.

The specific error in the headers shows that forwarding from O365 to O365 breaks the SPF check.

Received-SPF: Fail (protection.outlook.com: domain of xxxxx.org does not

designate 40.95.78.85 as permitted sender) receiver=protection.outlook.com;

client-ip=40.95.78.85; helo=GBR01-LO2-obe.outbound.protection.outlook.com;

So? Well the spf.protection.outlook.com that we all include in SPF records to white list the MSFT services, currently unrolls (on mxtoolbox.com) to:-

40.92.0.0/15 - (40.92.0.0 - 40.93.255.255)

40.107.0.0/16 - (40.107.0.0 - 40.107.255.255)

52.100.0.0/14 - ( 52.100.0.0 - 52.103.255.255)

104.47.0.0/17 - ( 104.47.0.0 - 104.47.127.255)

.....so MSFTs own range of valid addresses for SFP does not include the 40.95.78.85 they are using for our Tenant.  Oops.

Likely a typo as 40.92.0.0/14 would fix it, but its worth checking your mileage.

Of course mxtoolbox.com may be lying.... and we may not be getting everything treated as spam.