Some customers may have a mailbox outside the Hosted Exchange environment that they use to receive emails and then have them forwarded on to their Hosted Exchange mailbox. If these are server side forwards where the originating email address is kept intact they can fail the SenderID/SPF test that our edge servers perform on all incoming email. In this circumstance the email will be rejected. This is by design.
A domain owner can chose to publish to the Internet the servers that they consider authoritive to send emails on their behalf. This ensures that people cannot fake an email address that belongs to the company. We honor SPF records and because a server side forward is delivering the email to us as though it was sent from the originating email sender and the forwarding server is not typically authorised to send email as that email address we reject it.
The only way around this situation is to change the way the system forwards emails so that they come from the forwarding mailbox address rather than the originating sender or alternatively have the emails delivered directly to the destination mailbox at theCloud rather than going through an intermediary mailbox and then being forwarded.
The SenderID framework ensures that people cannot use a legitimate domain name to send fraudulent emails. By honoring this setting we reduce the chance our customers get unwanted invitiations to reset their kiwibank password or update their paypal details from email addresses that look legitimate but are infact fraudulent. It has noticably reduced the amount of unwanted email our customers receive.