Microsoft Teams sends voice email messages which fail SPF checks
Whenever you call someone in Microsoft Teams and they do not get your call, you can leave them a voice message in the app.
Teams will then send an email message to the recipient's mailbox with the voice message information, the transcription and an attached audio file. Teams will also send it from the caller's email address (e.g. From: John.Doe@example.com).
These email messages are sent in such a way that an Exchange Transport Rule like the one attached in the PNG file will flag them unexpectedly, because they seem to be sent from IP address(es) not included in the default SPF record for Office 365 customers:
v=spf1 include:spf.protection.outlook.com -all
If you analyze the headers of the affected email messages, you will probably find lines like the one below:
Authentication-Results: spf=fail (sender IP is 52.114.76.82)
Received-SPF: Fail (protection.outlook.com: domain of example.com does not
designate 52.114.76.82 as permitted sender) receiver=protection.outlook.com;
client-ip=52.114.76.82; helo=EUR03B.map.protection.outlook.com;
This is a well known issue of Teams as documented in their github repo:
https://github.com/MicrosoftDocs/OfficeDocs-SkypeForBusiness/blob/live/Teams/Known-issues.md
Please, resolve this security problem at your earliest convenience.

2 comments
-
Nate McLean commented
I had a microsoft case on this and it's a known issue with CVM and Teams/SkypeforBusiness. Instead of the large IP range, they gave me the exact IP's for Cloud Voicemail. You can either put them in an SPF record or create a transport rule.
Cloud Service IP address
Apac 52.114.7.28
Apac 52.114.15.0
Apac 52.114.7.29
Apac 52.114.15.1
Noam 52.114.128.68
Noam 52.114.159.40
Noam 52.114.128.18
Noam 52.114.159.41
Emea 52.114.75.27
Emea 52.114.76.82
Emea 52.114.76.83
Emea 52.114.75.28 -
Javier commented
Adding this modifier to the SPF record works as a workaround:
ip4:52.112.0.0/14We hope it will get resolved permanently. Other services such as OneDrive for Business or SharePoint Online are able to send email from our users' email addresses without adding a separate SPF modifier.