Why is this incoming message failing?
postfix/smtpd[4776]: connect from mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73]
postfix/smtpd[4776]: Anonymous TLS connection established from mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73]: TLSv1.2 with cipher <snip>4 (256/256 bits)
postfix/smtpd[4776]: 631A5453D55: client=mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73]
postfix/cleanup[4781]: 631A5453D55: message-id=<414<snip>MDC019E7.cnb.Corp.net>
opendkim[849]: 631A5453D55: mail-mw2nam10on2073.outbound.protection.outlook.com [40.107.94.73] not internal
opendkim[849]: 631A5453D55: not authenticated
opendkim[849]: 631A5453D55: DKIM verification successful
opendmarc[840]: 631A5453D55 ignoring Authentication-Results at 1 from ip-<snip>.ec2.internal
opendmarc[840]: 631A5453D55: SPF(mailfrom): some.user@cnb.com fail
opendmarc[840]: 631A5453D55: cnb.com fail
postfix/cleanup[4781]: 631A5453D55: milter-reject: END-OF-MESSAGE from mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73]: 5.7.1 rejected by DMARC policy for cnb.com; from=<some.user@cnb.com> to=<me@mydomain.com> proto=ESMTP helo=<NAM10-MW2-obe.outbound.protection.outlook.com>
postfix/smtpd[4776]: disconnect from mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73]
It appears that cnb.com's DNS has the correct MS record (spf.protection.outlook.com) mentioned by MS here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide
# dig cnb.com txt|grep spf
cnb.com. 290 IN TXT "v=spf1 include:spf.protection.outlook.com include:cnb.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
They are coming from an IP in the 40.107.0.0/16 network here:
https://mxtoolbox.com/SuperTool.aspx?action=spf:spf.protection.outlook.com&newAppVersion=1
Have they done something wrong in their SPF config or is it something on my end?
