Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Allow disabling of SPF checks

As a user using both a dedicated security based ESP (Mimecast) with Office 365 Exchange, I have no need for many of the Office 365 security features.

Most annoyingly is the fact that forwarding from my ESP fails the Office 365 SPF checks, because the sending domain doesn't match the IP range of the source any more.

I wouldn't mind except Office 365 won't even allow me to disable SPF checking!

This means a typical message is stamped with an SPF 'pass' from Mimecast and an SPF 'fail' from Office 365.

This in turn could interfere with anti-spam rules within Office 365 (not that I'm using any) and e.g. client-side spam rules.

Please allow this feature to be turned off - this prevents working with 3rd party mail providers seamlessly!

101 votes
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

9 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...
  • GP admin commented  ·   ·  Flag as inappropriate

    We’re using Mimecast as our 3rd party spam filter and every email received from the internet generates an SPF softfail. Could this feature please be researched?

  • Anonymous commented  ·   ·  Flag as inappropriate

    Agreed. We use proofpoint as our Spam/Filtering system and its annoying that O365 bascially fails every email sent to it because the sending system is always our proofpoint environment.

    Is there a way to disable SPF checking on O365?

  • Emmanuel Dreux commented  ·   ·  Flag as inappropriate

    @TerryZink.
    I changed the real domain and address below.

    Here is what we are getting. Are you saying that when MX are not pointing to Office 365, these are ignored?

    Authentication-Results: targetdomain.com;
    spf=softfail smtp.mailfrom=test@gmail.com;
    dkim=pass header.d=gmail.com header.s=20161025;
    dmarc=pass header.from=gmail.com

    Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
    gmail.com discourages use of <IP ADDRESS> as permitted sender)

    I initially opened this thread and found your comment here.
    https://social.technet.microsoft.com/Forums/en-US/5865dffc-bdf8-4811-a144-a4dd031274f8/softfail-spf-check-for-corporate-gateway?forum=onlineservicesexchange

  • Terry Zink (Senior PM in Office 365) commented  ·   ·  Flag as inappropriate

    You shouldn't need to turn off SPF and DMARC (it isn't necessary to disable DKIM checks). As long as the MX doesn't point to Office 365 (e.g., it points to MimeCast), SPF checks are supposed to be disabled already (the additional spam rule option doesn't consider this, but you shouldn't turn it on).

    A little more detail - the SPF/DMARC checks will still appear in the Authentication-Results header, but they won't be enforced anywhere in the filter.

  • Sean commented  ·   ·  Flag as inappropriate

    Does the ip/domain of your sending server change often?
    why not fix your spf records?

    That said, ha. Guess why I'm here....

  • Dan commented  ·   ·  Flag as inappropriate

    ^This! We also use Mimecast to act as our inbound and outbound mail gateway between our on-prem mail servers and Office 365 tenant. OP's post is dead on - I'd REALLY like to be able to disable SPF checking.

  • Jeremy Burroughs commented  ·   ·  Flag as inappropriate

    I agree. We are an MSP using Mimecast/Office 365 both internally and for all customer organizations on our MSP platform. We have transport rules in 365 disabling spam checks for emails received from Mimecast, but we should still be able to disable SPF, DKIM, and other checks within Office 365. We are entrusting those checks to Mimecast.

Feedback and Knowledge Base