A second update to the problem of email forwarding in Office 365

18 months ago, I wrote the following blog post: Why does my email from Facebook, that I forward from my outlook.com account, get rejected. 6 (ish) months ago, I provided an update at An update on the forwarding email problem in Office 365 where I said that we made a change such that Exchange Transport Rules…

2

Troubleshooting the red (Suspicious) Safety Tip for fraud detection checks

Introduction It has now been about 8 months since we released our antispoofing protection in Office 365, a feature that defends against Business Email Compromise, where the From and To domains are the same. You can read more about that feature at http://aka.ms/AntispoofingInOffice365. To summarize, it defends against others spoofing your domain in the From:…

18

Taking the hassle out of email authentication

Last month in Cologne, Germany, at the Certified Senders Alliance conference, I gave a presentation entitled “Taking the hassle out of email authentication.” Below is a slightly modified format of my slide show. Enjoy! Taking the hassle out of email authentication from Terry Zink

0

Outlook.com DKIM signing done, now on to hotmail.com

A couple of months ago, I wrote a blog post that we were starting to roll out DKIM signing for our consumer email accounts sending from @outlook.com. These are for accounts that have been migrated from the old Hotmail/outlook.com infrastructure and onto our new Exchange Online infrastructure. Not all accounts have been migrated yet, so…

2

A Powershell script to help you validate your DKIM config in Office 365

One of our support engineers (not me, so let’s give credit where credit is due) wrote a script to help you, as a customer of Office 365, validate for DKIM configuration once you have enabled it in the Admin Portal. We’ve added a few more checks to make it more clear, but you can also…

8

How antispoofing protection works in Office 365

Update: If you need help removing the red safety tip for antispoofing checks, go here: Troubleshooting the red spoofing tip in Office 365 Exchange Online Protection (EOP), the email filtering component of Office 365, is rolling out, or has already rolled out, full antispoof protection for all of its customers. Most of our customers already…

52

Common errors in SPF records

The other day I was asked to come up with some common errors that we see when people set up SPF records as we want to start notifying our customers when they have these types of errors. I thought it would be a good idea to make this public and add to it as necessary….

4

Office 365 is expanding its DKIM-signing to our consumer brands plus adding default signatures to enterprise email traffic

Here at Office365 and Hotmail/outlook.com, we are making some changes with regards to our DKIM-signing in both services. We believe in sender authentication, especially with regards to DKIM, and plan to sign 100% of all email in both services. 1. First, email traffic from our consumer brands will all be DKIM-signed (eventually) First, Outlook.com and…

2

Email authentication should work out of the box and we should not rely upon domain owners to do it themselves

This is going to be a long post. Sorry. I didn’t have time to write a shorter one. Who should be responsible for setting up email authentication records? For years, I have been discussing the virtues of publishing email authentication records including SPF, DKIM, and DMARC. There are plenty of tutorials and documentation on the…

4

The common types of spear phish we see today

As 2015 draws near to a close, I thought I’d write a blog post about the type of spear phishes we are seeing lately against our customer base. This is not general brand phish like someone spoofing Paypal, but instead a phisher trying to impersonate your domain, for example, if the domain under attack is…

2

Exchange Online is rolling out default DKIM-signing to everyone

If you are a customer of Office 365 (Exchange Online Protection, or EOP), you may have noticed, or will be noticing, that we are adding DKIM signatures to your outgoing email, even if you haven’t explicitly enabled DKIM-signing for your domain (see instructions here: http://blogs.msdn.com/b/tzink/archive/2015/10/08/manually-hooking-up-dkim-signing-in-office-365.aspx). We are gradually rolling this out to everyone. If you…

7

DMARC one year later, and what have we learned?

It has been one year since I posted that Office 365 now supports inbound DMARC verification. What do we see in terms of how much mail it blocks in production? Well, we’ve learned a lot of things; some of it good, and some of it bad. I took a look at our network-wide statistics yesterday…

2

How Office 365 does automatic DKIM key rotation

As you can see from one of my other posts, Office 365 now lets you sign your outbound email with DKIM signatures. One of the key differences between how we do it and how almost every other service does it is that instead of requiring the customer to publish the public key in DNS (and…

8

Manually hooking up DKIM signing in Office 365

Note: This content also appears on our official documentation here, Use DKIM to validate outbound email sent from your domain in Office 365. Here’s how to enable DKIM signing for your domain if it is hosted in Office 365 (Exchange Online Protection). What steps do I have to take to enable DKIM? First, for each…

73