Setting aside the fact that it is a Microsoft problem ( that noone outside of the organization should be affected by ) there is a simple way to do it: IP address of the original sender of the message when it is initially received by Microsoft servers. - If it's internal, it's internal and it's a Microsoft problem to validate if the message is valid, etc, etc. - If it's external then SPF should be used, regardless of the fact the from domain is internal or not: if it's not rejected at this point no other check shall be made during it's journey through whatever internal servers are used.
Doesn't look like rocket science. On Fri, Sep 26, 2025 at 9:19 AM sebastian via mailop <[email protected]> wrote: > Correct - BUT that assumption can only be held if youre talking directly > to the tenant server. Since Microsoft has lots of intermediate internal > servers and hops, the internal servers cannot know the difference between a > submitted password authenticated mail, a SPF authenticated one, or a > unauthenticated one. > > In your example, the sender domain is hosted on the same server. Thats why > SPF doesn't apply. Instead local policy has to apply. > > Its a complicated mess with muti-tenant cloud mail servers. > > -------- Originalmeddelande -------- > Från: Jaroslaw Rafa via mailop <[email protected]> > Datum: 2025-09-26 10:06 (GMT+01:00) > Till: [email protected] > Ämne: Re: [mailop] DirectSend - has Microsoft re-invented SPF in an IPv6 > incompatible way? > > Dnia 26.09.2025 o godz. 09:44:20 Sebastian Nielsen via mailop pisze: > > >> The scenario was when [email protected] was sending their mail to > > >> [email protected] (external to op.pl, totally different service), and > > >> [email protected] in turn forwarded the mail to [email protected], the > op.pl > > >> server rejected the mail with a message requring authentication - > because it > > >> Saw a sender address from op.pl domain. I think I see similar > > >> misconfiguration here. > > > > Exactly what im saying. The third server has no way of validating "its > own > > hosted domain" to "itself" to what to say. > > > > As I made the example with "sebbe.eu" validating "127.0.0.1" against > SPF. > > Thats why DirectSend exist. To facilitate this type of validation. > > The mail in my example was *not* coming from 127.0.0.1. It was coming from > an external server (I was actually admin of that server at the time ;)). > > At the time when SPF did not exist, there was no separate submission > service > and submission was done via port 25, it was indeed hard to distinguish > (although not impossible) if an incoming mail with a sender from "my own > domain" is submission or a forwarded message coming from external server. > But nowadays, when submission is separated from incoming mail and SPF > exists, it's absolutely no problem to determine if incoming message with > "my > own domain" is submission, or a message coming from ouside with properly > validated SPF. > > It's only lack of Microsoft's will to do so. > -- > Regards, > Jaroslaw Rafa > [email protected] > -- > "In a million years, when kids go to school, they're gonna know: once there > was a Hushpuppy, and she lived with her daddy in the Bathtub." > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop > -- -- Paulo Azevedo
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
