I found a bug...

← Bug Reports

Microsoft Teams sends voice email messages which fail SPF checks

Whenever you call someone in Microsoft Teams and they do not get your call, you can leave them a voice message in the app.

Teams will then send an email message to the recipient's mailbox with the voice message information, the transcription and an attached audio file. Teams will also send it from the caller's email address (e.g. From: John.Doe@example.com).

These email messages are sent in such a way that an Exchange Transport Rule like the one attached in the PNG file will flag them unexpectedly, because they seem to be sent from IP address(es) not included in the default SPF record for Office 365 customers:
v=spf1 include:spf.protection.outlook.com -all

If you analyze the headers of the affected email messages, you will probably find lines like the one below:

Authentication-Results: spf=fail (sender IP is 52.114.76.82)

Received-SPF: Fail (protection.outlook.com: domain of example.com does not
designate 52.114.76.82 as permitted sender) receiver=protection.outlook.com;
client-ip=52.114.76.82; helo=EUR03B.map.protection.outlook.com;

This is a well known issue of Teams as documented in their github repo:
https://github.com/MicrosoftDocs/OfficeDocs-SkypeForBusiness/blob/live/Teams/Known-issues.md

Please, resolve this security problem at your earliest convenience.

26 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Javier shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

2 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Nate McLean commented  ·   ·  Flag as inappropriate

    I had a microsoft case on this and it's a known issue with CVM and Teams/SkypeforBusiness. Instead of the large IP range, they gave me the exact IP's for Cloud Voicemail. You can either put them in an SPF record or create a transport rule.
    Cloud Service IP address
    Apac 52.114.7.28
    Apac 52.114.15.0
    Apac 52.114.7.29
    Apac 52.114.15.1
    Noam 52.114.128.68
    Noam 52.114.159.40
    Noam 52.114.128.18
    Noam 52.114.159.41
    Emea 52.114.75.27
    Emea 52.114.76.82
    Emea 52.114.76.83
    Emea 52.114.75.28

  • Javier commented  ·   ·  Flag as inappropriate

    Adding this modifier to the SPF record works as a workaround:
    ip4:52.112.0.0/14

    We hope it will get resolved permanently. Other services such as OneDrive for Business or SharePoint Online are able to send email from our users' email addresses without adding a separate SPF modifier.

Forum Home

Reference Information for Teams

Bug Reports: Privacy/Security

Categories

Feedback and Knowledge Base

(thinking…)

More Teams Information