The problem here is how Exchange itself works (O365):
However mails sent from inside office 365 addressed to users with
accounts in 0ffice365 continued to appear in office 365 mailboxes, and
are not routed to the mx mail server (google apps), and thus are not
appearing in google apps mail mail boxes.
This is to be expected. Exchange isn't going to send email to an external MX record for example.com
if their email address is bob@example.com
associated with a mailbox on the Exchange Online Org for your Office 365 domain. The routing of the email will dictate that the user is local and should be treated as such.
You have a couple of options as I see it:
Option #1:
Assuming you are using 2 distinct email domains for O365 and Google Apps you could have individual mailboxes on O365 forward any incoming email to the external Google Apps domain. I know you said your MX records go to google apps so you are probably only using a single domain name, but you could look at forwarding it to their gmail associated address instead and then setting their primary email address for new emails and replies to their real company domain email address.
In this instance the example would be:
Email to bob@domain.com > google apps mx > Office 365 route > Office 365 forwards email for bob to bob@gmail.com > google apps receives email and delivers to Bob > when Bob replies he chooses to reply as bob@domain.com instead of bob@gmail.com
Option #2
Like O365 support said, you can look into setting up the Internet Relay Domain option. What they were referring to is called Shared SMTP Namespace. I've never done it with Google Apps, but the concept is the same with them overall I would presume.
However, the issue you are running into is probably because you have actual mailboxes instead of contact email addresses only for those users. They can't have actual mailboxes on the Exchange/O365 server itself, just an O365 user ID with a contact email address.
But you'll also have to setup such a thing on Google Apps side somehow to (again not familiar with how they do it)...because otherwise you'll end up with a loop. You'll need something on their side that says "check for mailbox and if not found send to O365".
The flow would work like:
External Email to bob@domain.com > google apps receives and checks for local mailbox. If found, deliver...if not > Office 365 route > O365 delivers to mailbox there.
Office365 user emails bob@domain.com > Office 365 finds no Exchange mailbox but does see bob@domain.com as a contact > Exchange Online has the Internet Relay Domain setup for domain.com and the next hop set back to send outbound to the MX record > google apps receives email and delivers to Bob's mailbox locally on Google Apps.
Again, you'll need to make sure that Google Apps knows to check for bob@domain.com mailbox locally before sending everything else on to O365. Otherwise it will cause a mail routing loop.
Hope that helps.
Are you sure mail flow is going directly from your Hybrid server to O365?
When you ran the hybrid wizard it should have created connectors locally and in O365, which will tread mail flow between the forests as internal mail. This means it will bypass the EOP/Spam checks and you should never see those SPF messages.
If your edge device is modifying the headers this may be causing your issue - between your server and O365 nothing should modify the message headers. Make sure you don't have an existing connector that may be overriding the ones created by the Hybrid wizard. You can always delete the existing connectors that were created and re-run the wizard to re-create them.
Check your transport rules in Exchange and make sure they are not modifying the message before going to O365, if they are disable them and test again to make sure those are not your problem.
Last (or maybe first) check that your federation is configured correctly. If it's not that could be why your mail is not treated correctly. This is where re-running the Hybrid wizard can you help you as well.
Best Answer
I don't think that Exchange is actually forwarding the emails. If that were the case then the email would be listed as coming from an
@customerdomain
address. The emails are just redistributed to another mail system. This being the case, and by design, SPF is broken because Office365 is not allowed to send mail on behalf ofvendor.com
.One way to achieve this would be to set up
administrator@customerdomain.com
as a shared mailbox and configure auto-forwarding on the mailbox settings. This way the emails are being sent by an@customerdomain.com
address and SPF won't fail.I considered how you might set up some kind of exclusion in your mail system, but you would have to know the details of all senders to be able to configure any kind of bypass; even then you would be opening yourself up to security risks, which happens any time you decide to 'trust' a sender.
That said, I just did my own bit of research and it seems Microsoft are in the process of rolling out Sender Rewriting Scheme (SRS), which fixes this very problem:
Maybe your problem will be resolved imminently...
https://products.office.com/en-us/business/office-365-roadmap