Taking the hassle out of email authentication

Last month in Cologne, Germany, at the Certified Senders Alliance conference, I gave a presentation entitled “Taking the hassle out of email authentication.” Below is a slightly modified format of my slide show. Enjoy! Taking the hassle out of email authentication from Terry Zink


Outlook.com DKIM signing done, now on to hotmail.com

A couple of months ago, I wrote a blog post that we were starting to roll out DKIM signing for our consumer email accounts sending from @outlook.com. These are for accounts that have been migrated from the old Hotmail/outlook.com infrastructure and onto our new Exchange Online infrastructure. Not all accounts have been migrated yet, so…


A Powershell script to help you validate your DKIM config in Office 365

One of our support engineers (not me, so let’s give credit where credit is due) wrote a script to help you, as a customer of Office 365, validate for DKIM configuration once you have enabled it in the Admin Portal. We’ve added a few more checks to make it more clear, but you can also…


How antispoofing protection works in Office 365

Exchange Online Protection (EOP), the email filtering component of Office 365, is rolling out, or has already rolled out, full antispoof protection for all of its customers. Most of our customers already have this protection, and now we are preparing to roll it out to everyone else. [tzink 2016.11.03 – This is rolled out for…


Common errors in SPF records

The other day I was asked to come up with some common errors that we see when people set up SPF records as we want to start notifying our customers when they have these types of errors. I thought it would be a good idea to make this public and add to it as necessary….


Office 365 is expanding its DKIM-signing to our consumer brands plus adding default signatures to enterprise email traffic

Here at Office365 and Hotmail/outlook.com, we are making some changes with regards to our DKIM-signing in both services. We believe in sender authentication, especially with regards to DKIM, and plan to sign 100% of all email in both services. 1. First, email traffic from our consumer brands will all be DKIM-signed (eventually) First, Outlook.com and…


Email authentication should work out of the box and we should not rely upon domain owners to do it themselves

This is going to be a long post. Sorry. I didn’t have time to write a shorter one. Who should be responsible for setting up email authentication records? For years, I have been discussing the virtues of publishing email authentication records including SPF, DKIM, and DMARC. There are plenty of tutorials and documentation on the…


The common types of spear phish we see today

As 2015 draws near to a close, I thought I’d write a blog post about the type of spear phishes we are seeing lately against our customer base. This is not general brand phish like someone spoofing Paypal, but instead a phisher trying to impersonate your domain, for example, if the domain under attack is…


Exchange Online is rolling out default DKIM-signing to everyone

If you are a customer of Office 365 (Exchange Online Protection, or EOP), you may have noticed, or will be noticing, that we are adding DKIM signatures to your outgoing email, even if you haven’t explicitly enabled DKIM-signing for your domain (see instructions here: http://blogs.msdn.com/b/tzink/archive/2015/10/08/manually-hooking-up-dkim-signing-in-office-365.aspx). We are gradually rolling this out to everyone. If you…


DMARC one year later, and what have we learned?

It has been one year since I posted that Office 365 now supports inbound DMARC verification. What do we see in terms of how much mail it blocks in production? Well, we’ve learned a lot of things; some of it good, and some of it bad. I took a look at our network-wide statistics yesterday…


How Office 365 does automatic DKIM key rotation

As you can see from one of my other posts, Office 365 now lets you sign your outbound email with DKIM signatures. One of the key differences between how we do it and how almost every other service does it is that instead of requiring the customer to publish the public key in DNS (and…


Manually hooking up DKIM signing in Office 365

Note: This content also appears on our official documentation here, Use DKIM to validate outbound email sent from your domain in Office 365. Here’s how to enable DKIM signing for your domain if it is hosted in Office 365 (Exchange Online Protection). What steps do I have to take to enable DKIM? First, for each…


Combating spoofing

Three years ago, I wrote a blog post entitled Combating Phishing talking about what Exchange Online Protection (EOP) does to stop phishing messages [1]. Last year, I wrote one of my most popular blog posts entitled Why does spam and phishing get through Office 365, and what can be done about it? Recently, I wrote…


(Not) Using the Additional Spam Filtering option for SPF hard fail to block apparently internal email spoofing

 Recently, I’ve noticed that sometimes customers in Office 365 will login to the Exchange Admin Center, go to Protection –> Spam Filter –> Advanced Options and enable the Advanced Spam Filtering (ASF) option for “SPF Hard Fail.”  The reason people do this is to stop messages from arriving into a customer’s organization that look like…


What is the best combination for your SPF record, DKIM record, and DMARC record?

Sometimes [1] people ask me what the best combination of SPF record is if they publish a DMARC record and DKIM record? How should we best present spoofing using authentication records that we publish in DNS? Here’s what I think. First, a domain should publish an SPF Hard Fail in its SPF record if they…