Graph and PowerShell Blog

Scenario
Company A - Has an on-prem Exchange environment in Hybrid mode, but chooses 'Centralized Mail-flow' so that all mails are sent via the on-prem Exchnage servers. As a result of this setup they do not add the Microsoft addresses to their SPF record.

Company B - Also has a hybrid setup but mail-flow is set to all go through O365. In addition to this they also have O365 mail filters enabled. Both companies are based in the same country.

Problem
When Company A sends mails to Company B they always end up in O365 Quarantine. When reviewing the Internet headers we see that the SPF record has failed despite 'centralized mail-flow' being enabled.

Cause
While in theory the emails coming from Company A should exit via the on-prem Exchange servers, instead if the two tennants in O365 reside in the same datacenter then the mail is routed via O365. So the SPF record will fail and the mail will go to Quarantine, but only if the recipient domain has legacy mail filters enabled.

↑ SPF fails because spf.protection.outlook.com is not present.

Resolution
While both companies had issues with the setup, Microsoft Support sided with company A, saying that if the legacy mail filters (in particular the MarkAsSpamSpfRecordHardFail filter) were disabled then the mails would not go to quarantine. This is technically correct but with a couple of caveats, first the Internet headers still show an error, with Microsoft adding an extra authentication field to bypass the error. Secondly the Microsoft documentation for Hybrid setup says to add the Microsoft addresses to your SPF file, it does not mention anything about exceptions for centralized mail-flow.

↑ Added field, X-MS-Exchange-Authentication-Results, shows the SPF record passing.

This was a long running case with Microsoft Support but out of it at least came information on no longer using legacy mail filters. I kinda think if a feature is no longer to be used then really it should also be removed from the GUI and not hidden deep in the documentation, but in the end the issue did at least get resolved. I recommend running the ORCA PowerShell report to keep track of all best practices for O365 mail-flow.

↑ SPF record: hard fail should not be enabled under M365 Defender > Policies & Rules > Threat Policies > Anti-spam Policies.

Graph and PowerShell Blog	Articles 2024 Advanced Postfix configuration Installing Exchange 2019 in Azure Landing Zone Upgrading PHP on Windows Adding a Postfix server for relay to O365 O365 Integrated Apps troubleshooting Domino and O365 Co-existence Delegate Control in AD App mail relay via HVE Setting up Mail Relay with HVE Getting BIMI certified Orbea Occam SL H30 Installing FreeSat and Saorview Changing broadband provider Replacing a DIN timer on fuseboard Outlook Desktop Notifications stop working Outlook folders keep moving sort order Teams report uploading to SharePoint with Runbooks Teams PowerShell module can't run CS cmd as App 2023 Cannot map new Shared Mailboxes in O365 Renewing an Exchange 2016 certificate Connect to Compliance PowerShell behind a Proxy Sensitivity Label not shown in Outlook Client Room Finder Error in Outlook Teams not showing Rooms Teams unable to open file Unable to review quarantined mails for shared mailbox Set Locale for various Apps Delegate Sent Items placed into external Tenant Overview of Microsoft Support cases When centralized mail sends via O365 Cleaning up your Windows DNS server Set OneDrive for Business Locale O365 Migration Tips Reporting on successful Azure logons IIS Mapi Queue full with NetScaler Secure Office365 reports with a certificate Using Graph to send emails with inline images Visualizing Graph data with Google Charts Keeping a log of NetScaler AlwaysON connections \| About \| Links

When Centralized Mail sends via O365 11-Mar-23 Scenario Company A - Has an on-prem Exchange environment in Hybrid mode, but chooses 'Centralized Mail-flow' so that all mails are sent via the on-prem Exchnage servers. As a result of this setup they do not add the Microsoft addresses to their SPF record. Company B - Also has a hybrid setup but mail-flow is set to all go through O365. In addition to this they also have O365 mail filters enabled. Both companies are based in the same country. Problem When Company A sends mails to Company B they always end up in O365 Quarantine. When reviewing the Internet headers we see that the SPF record has failed despite 'centralized mail-flow' being enabled. Cause While in theory the emails coming from Company A should exit via the on-prem Exchange servers, instead if the two tennants in O365 reside in the same datacenter then the mail is routed via O365. So the SPF record will fail and the mail will go to Quarantine, but only if the recipient domain has legacy mail filters enabled. ↑ SPF fails because spf.protection.outlook.com is not present. Resolution While both companies had issues with the setup, Microsoft Support sided with company A, saying that if the legacy mail filters (in particular the MarkAsSpamSpfRecordHardFail filter) were disabled then the mails would not go to quarantine. This is technically correct but with a couple of caveats, first the Internet headers still show an error, with Microsoft adding an extra authentication field to bypass the error. Secondly the Microsoft documentation for Hybrid setup says to add the Microsoft addresses to your SPF file, it does not mention anything about exceptions for centralized mail-flow. ↑ Added field, X-MS-Exchange-Authentication-Results, shows the SPF record passing. This was a long running case with Microsoft Support but out of it at least came information on no longer using legacy mail filters. I kinda think if a feature is no longer to be used then really it should also be removed from the GUI and not hidden deep in the documentation, but in the end the issue did at least get resolved. I recommend running the ORCA PowerShell report to keep track of all best practices for O365 mail-flow. ↑ SPF record: hard fail should not be enabled under M365 Defender > Policies & Rules > Threat Policies > Anti-spam Policies.