Share via

SPF and DKIM is faling as emails are getting forwarded to one Cloud Anti-Phisihing Solution

raj a 316 Reputation points
2025-02-24T09:16:19.1133333+00:00

Hello,

We are using EOP as our email Gateway and once internet email reaches to EOP we are forwarding that internet email to one Cloud Anti-Phisihing Solution platform and then again email comes back to EOP but due to this routing when EOP check the SPF and DKIM it actually checks the IP address of Cloud Anti-Phisihing Solution to validate SPF instead of the authorised outbound server IP of Sender's Domain and then fails.

How we can fix this issue?

Regards,

Raj

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,243 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Zhang-MSFT 5,385 Reputation points Microsoft Vendor
    2025-02-25T06:15:44.5866667+00:00

    Hello, @raj a,

    Welcome to the Microsoft Q&A platform!

    This is a common challenge when emails are routed through multiple hops.

    Here are a few steps you can take to address this issue:

    First, configure Enhanced Filtering for Connectors (Skip Listing) in the Exchange admin center (EAC) under Mail flow > Connectors. This allows EOP to skip certain IP addresses when performing SPF checks, ensuring the original sender's IP address is used for validation.

    Next, use the Authenticated Received Chain (ARC) to preserve the original email authentication results across multiple hops. Ensure both your EOP and Cloud Anti-Phishing Solution support and are configured to use ARC. For more details, please refer to Email authentication in Microsoft 365 - Microsoft Defender for Office 365 | Microsoft Learn. Additionally, update your SPF records to include the IP addresses of both your EOP and Cloud Anti-Phishing Solution, preventing SPF failures by explicitly authorizing these IP addresses.

    Finally, verify that DKIM is correctly configured for your domain and that DKIM signatures are preserved and validated correctly after passing through the Cloud Anti-Phishing Solution. Review your mail flow rules to ensure they are correctly configured to handle the routing and authentication of emails, including any necessary exceptions or conditions for the Cloud Anti-Phishing Solution.

    Should you need more help on this, you can feel free to post back. 

    If the answer is helpful, please click on “Accept answer” as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

    Thank you for your support and understanding.

    Best Wishes,

    Alex Zhang

  2. Andy David - MVP 152.5K Reputation points MVP
    2025-02-28T12:24:49.97+00:00

    The only way to make this work really is to use ARC:

    https://learn.microsoft.com/en-us/defender-office-365/email-authentication-arc-configure

    You'll prob also want to create a transport rule that allows these from the 3rd party providers IP sending range.

    The vendor of this solution should be able to provide guidance.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.