I'm not an email expert by any stretch, so please forgive my lack of correct terminology.
My understanding of SPF is that mail servers that receive mail will look at the return-path domain, and check to see if the server that sent that mail was authorized to by checking SPF records in DNS. But how does this work with "cloud email" solutions, like Office 365?
For example, my domain uses Office 365 Exchange Online for email. For SPF, we have the record v=spf1 include:spf.protection.outlook.com -all. Does this authorize any Office 365 user, even those outside my domain, to submit mail with return-path as a user in my domain, to their Office 365 mail server and have it pass SPF? After all, I've authorized all protection.outlook.com servers as valid senders, right? Or does Office 365 use some other authentication mechanism to prevent this kind of spoofing?
The specific issue I am trying to troubleshoot is that one of my users received an email that we suspect is spam, and that appears to be coming from one of their contacts. When I look at the email headers, I see that SPF passed, and the return-path matches the "from" in the email, as the actual contact's email address. The contact is using Office 365 for email, and SPF for their domain authorized all proptection.outlook.com servers as valid senders. What does this mean? Does this mean that their email account was compromised? Or could the return-path still be spoofed and pass SPF on Office 365?
Best Answer
SPF is by no means a perfect system, only a additional tool in your anti-spoofing toolbox and other people's anti-spam efforts.
Your SPF record will (assuming people's inbound servers have SPF checks) blocks spoofing from anything outside of the Microsoft Office 365 email systems. SPF-wise Office 365 users can spoof each other with abandon.
Your SPF record is by no means useless - it will decrease the amount of emails illegitimately sent on your behalf, but will not decrease it to zero.
The only way to truly prevent spoofing, and that is only if everybody had SPF checks, would be to have your own outgoing email server (mail.yourdomain.com) and include that in your SPF record. Unfortunately this is a very theoretical setup for most people, as eventually you'd have to give permissions to different providers to email on your behalf (i.e. MailChimp, Freshdesk, etc) and their users would be allowed (SPF-wise) to spoof your email address.
In short : SPF cannot prevent spoofing from Office 365 users since that is in your SPF record (and rightly so).