On 2022-01-20 at 20:33 +0100, Klaus Ethgen via mailop wrote:. > > Scroll down to the relay pool subheader and read up more about it. > > That means, Microsoft ist intentional breaking mail. > > > Hope this helps. > > Well, as I am not the sender than the recipient, no, it does not. > > When it is not part of SPF pool and they have '-all' in SPF record, > then the mail could not be delivered. > > Only Microsoft is blamable for breaking it and only they can fix it. > > Regards > Klaus
Someone forwarding mail from one account to a different mail server should configure the receiving account to know that it is being forwarded mail from $OriginalAccount, so that it can take that into account and trust the forwarding mta. Otherwise, it just looks as if the forwarder is spoofing all the mail that is forwarded. DKIM-signatures would (should) survive, but forwarding will generally break SPF (forwarding can either keep the original MAIL FROM or rewrite it, I don't know which version O365 chooses), and that is expected. You should place an exception on the receiving account to cater for that. Microsoft adds another layer attempting to make it easier for you to filter invalid mails since they forward from the relay IP addresses when the mail didn't validate to begin with* It is good that you are running your own mail server and can thus tinker with it, since I know of no mail provider which offers such preference to their users in their interface (although perhaps they would support that as a custom request, though). Best regards * https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/high-risk-delivery-pool-for-outbound-messages?view=o365-worldwide mentions «The forwarded/relayed message should meet one of the following criteria to avoid using the relay pool: * The outbound sender is in an accepted domain. * SPF passes when the message comes to Microsoft 365. * DKIM on the sender domain passes when the message comes to Microsoft 365.» but I suspect it might not be accurate. It would make more sense that the criteria would be having the outbound sender is in an accepted domain and either SPF or DKIM passes when it arrived O365. Or mayb _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
