Office 365 and are converging infrastructure

If you’ve talked to me in person over the past few months, you may have heard me talk about this. But if not, I’ll talk about it in this blog post and what it means.

Some background

Exchange Online Protection (EOP), the mail filtering branch of Office 365 (I use the terms interchangeably) is the email-for-enterprise part of Microsoft. EOP originally started off as Frontbridge Technologies, based out of Los Angeles. It was acquired by Microsoft in 2005 and was renamed a few times, most recently as Forefront Online Protection for Exchange (FOPE). All of the backend infrastructure of FOPE has been retired and EOP is entirely built on a different platform.

Hotmail was acquired by Microsoft in the 1990’s and a couple of years ago was rechristened as, which I will heretofore refer to as “consumer”. It ran on a different filtering stack, and email filtering technology, than EOP/FOPE. We shared some technology but not that much as the email in consumer is different than the email in enterprise. Furthermore, the architectural differences between the two made sharing technologies difficult even if we wanted to share. While we negotiated third party vendor contracts as a company, we each implemented them differently.

Over the past several months, the two teams merged – and EOP together at last. That’s all well and good, the two teams are together. But what next?

The way forward

The biggest advantage of bringing the two teams together is combining technologies where it makes sense. Techniques that work in one can move to the other; the two services probably won’t use the same filter, but each will have parts in common.’s email profile is not the same as Office 365 – consumer email is different than enterprise email and therefore what works in one may not work in the other. Techniques apply but perhaps not at the same level of aggressiveness.

One example is DMARC. In, it follows the DMARC spec by rejecting messages that fail if the sending domain has p=reject. However, Office 365 marks it as junk and sets the phishing confidence level to 9, and then lets the Outlook mail client disable links, attachments, and Reply/Reply All.

What I’m working on that relates to this

So where do I fit into all this? The biggest pieces I am doing:

  1. The Safety UX has a green shield for senders who are heavily spoofed but authenticate, but Outlook Web Access (OWA) does not. I’m working on overhauling the safety experience in OWA so that users can know why a message is marked up the way it is, and then carry over this experience to enterprise and not only in consumer.

  2. Backscatter protection with Boomerang

    You’ve heard me talk about
    Backscatter protection with Boomerang before. We just released it enterprise, and it’s a necessary component before migrating consumer mailboxes.

  3. DKIM and DMARC

    EOP already supports inbound DKIM verification, but so does EOP supports DMARC and so does, but EOP does it a little differently (I have other blog posts that explain the difference). However, EOP has yet to turn on DMARC reports, we have to fix a couple of items in the Exchange MTA before we do.
    Then we will be at parity with

    But even more than that, EOP is currently working on DKIM-signing (it’s on our public roadmap). Eventually, when moves over to EOP I’d like to get it to start signing with DKIM. That will be an improvement to the Hotmail service, rather than a simple migration.

    People sometimes ask me “Does (or Hotmail) plan to create a DMARC record with p=reject the same way that Yahoo and AOL do?”

    My response is non-committal. Before we can look at that, we need to get the fix in Exchange completed to preserve message content. We can deploy this fix in Office 365, but we also need to push it to various versions of on-premise Exchange server; what versions do we push it to? How much uptake is enough? Next, we need to sign all mail in Hotmail with DKIM which means we have to migrate the entire user base of Hotmail over to EOP. Then, we have to measure and assess the potential impact.
    So before I can even answer the question, I need to know what will happen if we do and then do a cost/benefit analysis and as you can see, it’s a long path forward.

So, that’s part of what’s happening with Office 365 and right now. It’s not everything that’s going on with the service but it is a big part of it.

Comments (3)
  1. Erik Joan says:

    The settings below are sorted by the dialogs that you need to access. If you are having problems finding out where to put in which information, look at the numbers in front of the settings and you can find them back in the screenshots section at the bottom of this document.

  2. Sumit Goyal says:

    Very useful info particularly three last part 🙂 I care for such information a lot

    I was seeking this particular information for a very

    long time. Thank you and good luck.

  3. John Smith says:

    Thanks so much and I am taking a look forward to touch you.

    Will you please drop me a mail?

Comments are closed.

Skip to main content