none
SoftFail SPF check for corporate Gateway RRS feed

  • Question

  • Hi,

    We are using a mail gateway that is rewriting SMTP headers for business reasons. When internet messages are arriving, they are flagged as SoftFail.

    For example, when a Gmail account sents us a mail, the SMTP header contains:

    Received-SPF: SoftFail (protection.outlook.com: domain of transitioning  gmail.com discourages use of 162.243.45.136 as permitted sender)

    Office 365 performs a SPF check and obviously our mail gateway is not in the SPF records for gmail.


    Question: How can we "whitelist" our gateway to bypass the SPF check?

    Apparently anti-spam platforms are experiencing the same issue: https://social.technet.microsoft.com/Forums/en-US/200f2e98-07bb-4711-9f15-1603da34876a/bypass-spam-and-spf-check?forum=onlineservicesexchange

    We don't want the mails delivered through the gateway to endup in the SPAM. 

    What is the solution for our mail gateway (... and anti-spam platforms?)

    Thanks.


    -- Emmanuel Dreux <a href="http://www.cloudiway.com" title="IAM and migration solutions for the Cloud"> http://www.cloudiway.com</a>

    Thursday, November 8, 2018 5:27 PM

All replies

  • You can whitelist the IP of the gateway server in the spam policy connection filter. Or create a connector.
    Thursday, November 8, 2018 7:15 PM
  • Yes,

    that's what I've wrote in this thread : https://social.technet.microsoft.com/Forums/en-US/200f2e98-07bb-4711-9f15-1603da34876a/bypass-spam-and-spf-check?forum=onlineservicesexchange

    But the thread  seamed to end saying that it did not prevent the SPF check ?


    -- Emmanuel Dreux <a href="http://www.cloudiway.com" title="IAM and migration solutions for the Cloud"> http://www.cloudiway.com</a>

    Thursday, November 8, 2018 9:13 PM
  • Let's say it differently:

    If a company is using Office 365 and is not point the MX records to Office 365, but instead points to another service (antispam, gateway, etc...) that then delivers to Office 365:

    Office 365 performs an SPF check for against the IP address of this platform which obviously is not in the SPF record of the sender (who is a client, contractor, etc....).

    Google has an elegant way to prevent that (you can white list the above gateway and the SPF check will be performed against the next first public IP address).

    https://support.google.com/a/answer/60730?hl=en

    Automatically detect external IP.

    If you select this option, Gmail scans through the Received: from message header to find the first public IP address that’s not in the Gateway IP list and determines that it’s the “external” IP address. Gmail considers the first detected external IP as the sending IP and uses this IP for SPF checks and spam evaluation.

    This is I believe that right approach because SPF checked is still performed but not against the gateway.

    As suggested by Vasil, we proposed to our customer to "whitelist the IP of the gateway server in the spam policy connection filter. Or create a connector."

    Here is his reply... that makes sense:

    Is this the only solution from your end? Whitelisting just allows the emails to be received but doesn’t solve the SPF issue.

    Also, if we whitelisted the IP, we would be allowing all email in including spam since all email would funnel through your mail router. (That's where Google is good because he makes a SPF check against the next IP and we're looking for an equivalent solution).

    Please help elaborate a solution to this issue.


    -- Emmanuel Dreux <a href="http://www.cloudiway.com" title="IAM and migration solutions for the Cloud"> http://www.cloudiway.com</a>

    Thursday, November 8, 2018 10:37 PM
  • It will not prevent the SPF check, but the message will be delivered regardless of what the SPF check says. There is no way to completely disable the SPF check if that's what you mean, it's a basic protection setting that cannot be toggled on/off.
    Friday, November 9, 2018 7:29 AM
  • Hi ,

    Is there any update on this thread? If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. Thanks for your understanding.


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, November 16, 2018 9:02 AM
    Moderator
  • No, issue not resolved.


    Google provides a solution

    No solution for Office 365.


    -- Emmanuel Dreux <a href="http://www.cloudiway.com" title="IAM and migration solutions for the Cloud"> http://www.cloudiway.com</a>

    Friday, November 16, 2018 9:23 AM
  • Hi Emmanuel,

    I'd recommend you open a support ticket and check if there is any useful solution for office 365.


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, November 21, 2018 9:35 AM
    Moderator