Allow disabling of SPF checks
As a user using both a dedicated security based ESP (Mimecast) with Office 365 Exchange, I have no need for many of the Office 365 security features.
Most annoyingly is the fact that forwarding from my ESP fails the Office 365 SPF checks, because the sending domain doesn't match the IP range of the source any more.
I wouldn't mind except Office 365 won't even allow me to disable SPF checking!
This means a typical message is stamped with an SPF 'pass' from Mimecast and an SPF 'fail' from Office 365.
This in turn could interfere with anti-spam rules within Office 365 (not that I'm using any) and e.g. client-side spam rules.
Please allow this feature to be turned off - this prevents working with 3rd party mail providers seamlessly!
When you have another service scanning in front of Office 365, the proper thing to do is disable the Office 365 scanning altogether and (optionally) respect the verdict from the prior system. Once you do that, even with the SPF header, the mails will not go to the users’ junk folders.
This is preventing our users from enjoying "actionable emails" from Power Automate Flows
Same here, we use a thrid-party spam guard and every mail sent to us, displays an spf error in the email header. Please provide us with a solution.
GP admin commented
We’re using Mimecast as our 3rd party spam filter and every email received from the internet generates an SPF softfail. Could this feature please be researched?
Agreed. We use proofpoint as our Spam/Filtering system and its annoying that O365 bascially fails every email sent to it because the sending system is always our proofpoint environment.
Is there a way to disable SPF checking on O365?
Emmanuel Dreux commented
I changed the real domain and address below.
Here is what we are getting. Are you saying that when MX are not pointing to Office 365, these are ignored?
dkim=pass header.d=gmail.com header.s=20161025;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
gmail.com discourages use of <IP ADDRESS> as permitted sender)
I initially opened this thread and found your comment here.
Terry Zink (Senior PM in Office 365) commented
You shouldn't need to turn off SPF and DMARC (it isn't necessary to disable DKIM checks). As long as the MX doesn't point to Office 365 (e.g., it points to MimeCast), SPF checks are supposed to be disabled already (the additional spam rule option doesn't consider this, but you shouldn't turn it on).
A little more detail - the SPF/DMARC checks will still appear in the Authentication-Results header, but they won't be enforced anywhere in the filter.
You can just turn off SPF checks in your Spam filter advanced settings.
Paul Fleming commented
This gets my vote. I just want to turn off SenderID not all protection.
Does the ip/domain of your sending server change often?
why not fix your spf records?
That said, ha. Guess why I'm here....
^This! We also use Mimecast to act as our inbound and outbound mail gateway between our on-prem mail servers and Office 365 tenant. OP's post is dead on - I'd REALLY like to be able to disable SPF checking.
Jeremy Burroughs commented
I agree. We are an MSP using Mimecast/Office 365 both internally and for all customer organizations on our MSP platform. We have transport rules in 365 disabling spam checks for emails received from Mimecast, but we should still be able to disable SPF, DKIM, and other checks within Office 365. We are entrusting those checks to Mimecast.