If you’ve talked to me in person over the past few months, you may have heard me talk about this. But if not, I’ll talk about it in this blog post and what it means.
Exchange Online Protection (EOP), the mail filtering branch of Office 365 (I use the terms interchangeably) is the email-for-enterprise part of Microsoft. EOP originally started off as Frontbridge Technologies, based out of Los Angeles. It was acquired by Microsoft in 2005 and was renamed a few times, most recently as Forefront Online Protection for Exchange (FOPE). All of the backend infrastructure of FOPE has been retired and EOP is entirely built on a different platform.
Hotmail was acquired by Microsoft in the 1990’s and a couple of years ago was rechristened as outlook.com, which I will heretofore refer to as “consumer”. It ran on a different filtering stack, and email filtering technology, than EOP/FOPE. We shared some technology but not that much as the email in consumer is different than the email in enterprise. Furthermore, the architectural differences between the two made sharing technologies difficult even if we wanted to share. While we negotiated third party vendor contracts as a company, we each implemented them differently.
Over the past several months, the two teams merged – outlook.com and EOP together at last. That’s all well and good, the two teams are together. But what next?
The way forward
The biggest advantage of bringing the two teams together is combining technologies where it makes sense. Techniques that work in one can move to the other; the two services probably won’t use the same filter, but each will have parts in common. Outlook.com’s email profile is not the same as Office 365 – consumer email is different than enterprise email and therefore what works in one may not work in the other. Techniques apply but perhaps not at the same level of aggressiveness.
One example is DMARC. In outlook.com, it follows the DMARC spec by rejecting messages that fail if the sending domain has p=reject. However, Office 365 marks it as junk and sets the phishing confidence level to 9, and then lets the Outlook mail client disable links, attachments, and Reply/Reply All.
What I’m working on that relates to this
So where do I fit into all this? The biggest pieces I am doing:
- The Safety UX
Outlook.com has a green shield for senders who are heavily spoofed but authenticate, but Outlook Web Access (OWA) does not. I’m working on overhauling the safety experience in OWA so that users can know why a message is marked up the way it is, and then carry over this experience to enterprise and not only in consumer.
- Backscatter protection with Boomerang
You’ve heard me talk about Backscatter protection with Boomerang before. We just released it enterprise, and it’s a necessary component before migrating consumer mailboxes.
- DKIM and DMARC
EOP already supports inbound DKIM verification, but so does outlook.com. EOP supports DMARC and so does outlook.com, but EOP does it a little differently (I have other blog posts that explain the difference). However, EOP has yet to turn on DMARC reports, we have to fix a couple of items in the Exchange MTA before we do.
Then we will be at parity with outlook.com.
But even more than that, EOP is currently working on DKIM-signing (it’s on ourpublic roadmap). Eventually, when outlook.com moves over to EOP I’d like to get it to start signing with DKIM. That will be an improvement to the Hotmail service, rather than a simple migration.
People sometimes ask me “Does outlook.com (or Hotmail) plan to create a DMARC record with p=reject the same way that Yahoo and AOL do?”
My response is non-committal. Before we can look at that, we need to get the fix in Exchange completed to preserve message content. We can deploy this fix in Office 365, but we also need to push it to various versions of on-premise Exchange server; what versions do we push it to? How much uptake is enough? Next, we need to sign all mail in Hotmail with DKIM which means we have to migrate the entire user base of Hotmail over to EOP. Then, we have to measure and assess the potential impact.
So before I can even answer the question, I need to know what will happen if we do and then do a cost/benefit analysis and as you can see, it’s a long path forward.
So, that’s part of what’s happening with Office 365 and outlook.com right now. It’s not everything that’s going on with the service but it is a big part of it.