Tuesday, August 10, 2021

Sender Rewriting Scheme Upcoming Changes

The implementation of SRS in Exchange Online has been available for over 2 years now, but it is something we still focus on to ensure that the feature is as comprehensive and concise as possible given the many ways there are to forward messages and different routing scenarios.

There are three upcoming changes in Exchange Online that will affect SRS:

1.     New on-premises connector setting

We are introducing a new SRS parameter on outbound on-premises connectors that allow admins to turn on SRS rewrites for messages using those connectors. Today, traffic to on-premises is not rewritten, as on-premises is considered part of the trust boundary where SPF checks should not take place. With some customers routing traffic out of their on-premises environments, this setting provides a solution and traffic can be rewritten if needed. The new setting rolling out now, which can be configured by the New-OutboundConnector or Set-OutboundConnector cmdlets, is SenderRewritingEnabled.

2.     Change in rewriting for SMTP/mailbox forwarding

We are further consolidating our rewriting for message forwarding. Not all forwarded messages are rewritten using SRS today. Messages forwarded with SMTP or mailbox forwarding have their P1 Mail From address replaced with the forwarding mailbox address. This will change to using SRS rewriting instead. This is a behavior change that may result in some disruptions. For one, SRS does not rewrite messages destined for on-premises while the current rewriting process does. This could cause issues with forwarded messages sent to or via on-premises. The setting in #1 has been provided to fix this gap and allow messages to still be rewritten after this change in behavior. This change is planned to begin rolling out starting October 1st. You can find out more about SRS here.

3.     Skipping SRS if incoming message did not pass SPF

The rollout of the new relay pool (announced in the Message Center post MC266466) will result in some messages no longer being rewritten. The aim of SRS is to allow a message to pass SPF checks when it is forwarded or relayed to another destination. However, if the message did not pass SPF when it was received by Exchange Online, that result should be preserved. The relay pool rollout will ensure this. The change will also affect spoofed domains (messages sent using non-accepted domains) from on-premises which will be sent via the relay pool to break SPF. For the timeline, please refer to MC266466 and here.

The main effect to look out for with these upcoming changes is that messages leaving the service start getting rejected by the receiving party.


--The Exchange Team

Posted at https://sl.advdat.com/3g9fbFd