You must see it from the point of view of the SECOND server (second microsoft 365 that the tenant is hosted on). Not the intermediate "smarthost" Microsoft 365 server that directly receives your mail based on SPF.
The second server has no way to know that the first server really validated SPF on the incoming mail. Or better: See all Microsoft 365 servers as one big server. The problem is as follows: When you add the "smarthost" Microsoft 365 server in your SPF so the council can send via it, the receiving server (microsoft 365 tenant) cannot use the SPF. Why? Because when a Microsoft 365 server sends mail to a Microsoft 365 server, it uses internal adresses, thus it can't use SPF at all. You must understand more whats going on "under the hood", not just the server you are talking to, but the communication between your server, intermediate Microsoft servers, and the tenant server. This is why Microsoft says "DirectSend is REQUIRED for their infrastructure to work". Its kind of an "internal SPF" that is only valid for microsoft hosted domains sending to microsoft.. Think like a Microsoft-issued ID card (DirectSend) which is required inside Microsoft premises, but you can't buy alcohol with a Microsoft ID card. Then you have a state-issued ID-card (kind of) - SPF - but that doesn't work inside Microsoft premises. I KNOW - its a extremely "hackish" way to facilitate internal communication between Microsoft servers, which also hurts certain external senders sending from Microsoft-hosted domains to Microsoft servers. But given Microsofts infrastructure, its the only way. If you actually look on the "Received:" lines inside a email that have entered Microsoft infrastructure, you will see a LOT of intermediate hops. I haven't tried, but im pretty sure you can actually send mail destined for any tenant to any mail-protection.outlook.com domain. Microsoft will just shuffle the mail right, because it sees the domain and knows its a microsoft tenant. And here is where DirectSend comes in, ALL Microsoft Servers needs to be able to validate if the Tenant domain is valid as a sender, either via SMTP Auth or via DirectSend configuration. ----------------------------------------------------------------------------------------------------------------- As I said, ask the council to create a account for you in their Microsoft 365 Server. Then send the invoices via that account. Best regards, Sebastian Nielsen _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
