In the ColdFusion admin I have mail set to send through smtp.office365.com with all their suggested settings.
I can send email using cfmail, and it goes out through their smtp, but they mark it with a spam confidence level of 5. Most services accept the mail and route it to spam/junk folders. Some are refusing and returning the emails.
The message headers say "Authentication-Results: spf=none (sender IP is ) email@example.com" where firstname.lastname@example.org is the sending email address. Elswwehre in the headers I can see IP address of the coldfusion server, which is in the SPF record.
I have SPF set up. According to Microsoft support they say SPF and DKIM are set up correctly and it is a problem with ColdFsuion not using SPF when sending the email. This doesn't seem right to me, but I'm not sure what else to do at this point.
We ae running CF10 in Windows Server 2012 r2.
After a considerable amount of testing sending emails and using the message analyzer at Microsoft Remote Connectivity Analyzer it appears that if I used cfmail type="text" the emails are not marked as spam, but if I use type="html" then they are marked as spam.
Anyone know a way around this?
Have you tried sending multipart email with cfmail/cfmailpart so that both text and html sections exist? So many things go into your spam score, but based on your testing above I'd try that as a starting point. You can google for tips on lowering your spam score, and see online checkers that will help you rewrite your mail appropriately as well.
"Have you tried sending multipart email with cfmail/cfmailpart so that both text and html sections exist"
I didn't even know I could do that.
I tried it and that seems to have been the issue. It's working now.
"it is a problem with ColdFusion not using SPF when sending the email"
You're right, that doesn't sound right to me either. SPF is used by mail recipients, not mail senders. As long as the mail sender's domain has a matching IP address for the sender's SMTP server, the recipient will be able to give the email an SPF "pass".
The problem here is really with the Microsoft Office 365 SMTP service. My first recommendation would be to use some other SMTP server to send your messages, and add the IP address of that to your SPF record. This will almost certainly make your problem go away. For example, if you're deploying within Amazon Web Services, you could use Amazon SES. This isn't really a problem with Office 365 per se - I would recommend the same thing with G Suite. They're typically going to have a lot more controls to mark and flag mail than you want from a generic SMTP service, and those controls will (a) be enabled by default, and (b) not be something you can turn off.
Also, I would definitely follow Nic's advice about using CFMAILPART instead of just using CFMAIL's TYPE attribute.
Next, if you're using DKIM, and your Office 365 environment is also using DKIM, that may cause a problem. I would try not using DKIM, and let Office do that for you.
Finally, I would recommend that you change the name of the MailerID to whatever everyone else is using with Office 365.