By default my firm blocks email spoofing using Mimecast. You can’t send a message from the Internet and claim that it is from our internal domain names. Occasionally we’ve had to make exceptions to the rules for particular public web sites that use email spoofing to send out email messages. Today’s case was The Wall Street Journal. If a user registers with an internal domain name email address and then tries to send an article to themselves, WSJ nicely uses the email address: email@example.com but when sending to anyone else it uses the registered users email address. When they send to another person at the firm, the email is bounced.
After some back and forth with WSJ support, they were able to provide me the external IP addresses that they use to send email:
Once we put those IP addresses in our Mimecast configuration the messages were no longer bouncing. Ideally web sites should NEVER spoof someone’s email address, but at least the IP addresses to allow it to work are available.