Overview
Internal emails are marked as spoofed in an Exchange and 0ffice 365 hybrid environment. Antispoofing logs consistently show that emails originating from these IP's are considered spoofed:
2020-10-21,12:56:37,665,1,"#00002d08","#000004fc","info ","ase_antispoofing","Connecting IP [104.47.101.59]"
2020-10-21,12:56:37,665,1,"#00002d08","#000004fc","info ","ase_antispoofing","SMTP mail sender address [<email address>]"
2020-10-21,12:56:37,665,1,"#00002d08","#000004fc","info ","ase_antispoofing","SMTP mail sender domain is associated with a local user account"
2020-10-21,12:56:37,665,1,"#00002d08","#000004fc","info ","ase_antispoofing","Message IS spoofed"
Solution
Some of the listed IP ranges are missing in the antispoofing filter configuration. Obtain the complete list of IP's from the Office 365 URLs and IP address ranges article.
Add the missing IPs to the list as described in the Enabling and configuring Anti-Spoofing article.
Make sure that your local SMTP server's IP address is added to the Perimeter Server configuration.
More details related to how to access the Microsoft IP Web Service may be found in the Office 365 IP Address and URL web service article.
Testing
Internal emails are no longer marked as spoofed. If the issue persists, contact GFI MailEssentials Support.