SPF Check when using 3rd Party Appliance in Mail Flow

Abanoub Halim 1 Reputation point


We're using Sepp Mail to Sign messages but also as E-Mail encryption gateway, therefore the service is within the mailflow which looks like:

External -] EOP -] Transport Rule to Send out through specific Connector to SEPPMail (xxx.contoso] ExO -] SEPPmail / MX:M365) --] SEPPMail which comes in on specific Connector ([xxxx.contoso] SEPPmail -] ExO / MX:M365) --] ExO.

In this case SPF will fail naturally, I configured Enhanced filtering with skipping IP Ranges of SEPPMail and known EOP Ranges but there are still more hops on Exchange Online side which lead then to a SPF failure.

what is the proper way to configure such scenario that I don't get SPF Failures?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,227 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Abanoub Halim 1 Reputation point

    The third-party provider does not send mails, these are sent by M365. The problem affects incoming mail traffic.

    The mail flow is like this at the customer SNSF:


    The SEPPMail service is an email encryption and signature gateway.

    Because the mails are sent to this service via Transport Rules, the SPF Check fails when they arrive back at Exchange Online, as this service is logically not considered a valid sender system for the external domain.


    Can I exclude mails that come from the SEPPMail service (specific Inbound Connetor) from this SPF check, or generally from the anti-spam check, because this was already carried out before, when the message arrived for the first time.

    Or can I e.g. set a header that causes an antispam bypass when the message comes back to avoid a double scan?

    0 comments No comments

  2. Andy David - MVP 138.6K Reputation points MVP

    If I understand the question correctly, you can exclude emails from the IPs of that service with a transport rule from getting scanned for spam:

    Essentially this:


    0 comments No comments