MS.EXO.02.2: False negative on example.mail.onmicrosoft.com

[moorereason]

Given

• maester version 00fd5db (essentially v1.0.22-preview)
• A domain of example.mail.onmicrosoft.com
• SFP record of: v=spf1 include:outlook.com -all

Result

Test-MtCisaSpfDirective (MS.EXE.02.2) returns a failure result with:

• Reason: No EXO directive
• Directives: include:outlook.com

Problem

This is a false negative. Microsoft has correctly published an SPF record to restrict authorized senders of that domain.

See:

maester/powershell/public/cisa/exchange/Test-MtCisaSpfDirective.ps1

Lines 46 to 47 in 00fd5db

	}elseif(($directives|Measure-Object).Count -ge 1 -and -not $check){
	$spfRecord.reason = "No EXO directive"

The logic appears to require a include:spf.protection.outlook.com directive, which Microsoft does not use for this domain. AFAIK, I have no control over that SFP record.

Proposed Solution

        }elseif(($directives|Measure-Object).Count -ge 1 -and -not $domain.EndsWith(".mail.onmicrosoft.com") -and -not $check){

I'm happy to submit a PR.

It might also be helpful to update the documentation for this check to explain that the include:spf.protection.outlook.com directive is required for all domains (except for the .mail.onmicrosoft.com domains).

[soulemike]

I hadn't dug deep enough to notice this nuance before. After some review this appears to only impact the placeholder used for remote routing by the hybrid configuration wizard. I assume this is due to bypassing EOP, but unsure why.

I would recommend amending the proposed solution to show mail.onmicrosoft.com domains as skipped. So they still show, but just are ignored.

It is a good call out on the documentation as well. A note could be added to the effect that "Additional controls restricting use of the HCW domain should be used. Such as transport rules. While production use of this domain should be as limited as possible.".

I did double check and this is only for the HCW domain, MOERA does still use EOP.

[moorereason]

I'm working on a PR for this.