-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Hi,

Am Mo den 2. Dez 2013 um 16:54 schrieb Benoit Panizzon:

Today, I discovered, that emails whose envelope sender matched the DNS SPF record, but whose From: Header did not (like after the envelope sender has being rewritten by SRS) were rejected by a hosted exchange server provider.

I got in contact with that admin and he told me that this was the way the SPF check works in the Microsoft Exchange Forefront Server.

Well, according to the RFC 4408 only HELO or MAIL FROM are being considered for SPF. Not the From: header. Is there anyone out there who can confirm, that Microsoft Exchange Forefront Server realy has such a broken SPF implementation. Or did the exchange admin just misconfigure his server?

Yes, this is a common fact that microsoft does this wrong. Unfortunately the responsible "admins" are even worse and try to tell you that "this is from microsoft, that is a correct behaviour". You always have to work around this.

I had one of this issue in Univerity too.

Regards Klaus Ethgen - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Klaus@Ethgen.de Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

Hi Benoit,

On Mon, Dec 02, 2013 at 16:54:59 +0100, Benoit Panizzon wrote:

Today, I discovered, that emails whose envelope sender matched the DNS SPF record, but whose From: Header did not (like after the envelope sender has being rewritten by SRS) were rejected by a hosted exchange server provider.

Could it be that a DMARC policy is defined for the domain in the From: header? With DMARC the From: header is checked too.

Cheers David