Does SPF need an update to handle non-existent includes? I say yes.

Over the past month, my team and I have been going over logs in our system, looking for SPF PermErrors and trying to figure out how many we had, and the root cause of them. As it turns out, there are lots of things that cause a permanent SPF failure. The most common examples are…


A second update to the problem of email forwarding in Office 365

18 months ago, I wrote the following blog post: Why does my email from Facebook, that I forward from my account, get rejected. 6 (ish) months ago, I provided an update at An update on the forwarding email problem in Office 365 where I said that we made a change such that Exchange Transport Rules…


Troubleshooting the red (Suspicious) Safety Tip for fraud detection checks

Introduction It has now been about 8 months since we released our antispoofing protection in Office 365, a feature that defends against Business Email Compromise, where the From and To domains are the same. You can read more about that feature at my other blog post Antispoofing in Office 365. To summarize, it defends against others…


Taking the hassle out of email authentication

Last month in Cologne, Germany, at the Certified Senders Alliance conference, I gave a presentation entitled “Taking the hassle out of email authentication.” Below is a slightly modified format of my slide show. Enjoy! Taking the hassle out of email authentication from Terry Zink DKIM signing done, now on to

A couple of months ago, I wrote a blog post that we were starting to roll out DKIM signing for our consumer email accounts sending from These are for accounts that have been migrated from the old Hotmail/ infrastructure and onto our new Exchange Online infrastructure. Not all accounts have been migrated yet, so…


A Powershell script to help you validate your DKIM config in Office 365

One of our support engineers (not me, so let’s give credit where credit is due) wrote a script to help you, as a customer of Office 365, validate for DKIM configuration once you have enabled it in the Admin Portal. We’ve added a few more checks to make it more clear, but you can also…


How antispoofing protection works in Office 365

Update: This blog post is being deprecated and information has been moved to Antispoofing protection in Office 365 Exchange Online Protection (EOP), the email filtering component of Office 365, is rolling out, or has already rolled out, full antispoof protection for all of its customers. Most of our customers already have this protection, and…


Common errors in SPF records

The other day I was asked to come up with some common errors that we see when people set up SPF records as we want to start notifying our customers when they have these types of errors. I thought it would be a good idea to make this public and add to it as necessary….


Office 365 is expanding its DKIM-signing to our consumer brands plus adding default signatures to enterprise email traffic

Here at Office365 and Hotmail/, we are making some changes with regards to our DKIM-signing in both services. We believe in sender authentication, especially with regards to DKIM, and plan to sign 100% of all email in both services. 1. First, email traffic from our consumer brands will all be DKIM-signed (eventually) First, and…


Email authentication should work out of the box and we should not rely upon domain owners to do it themselves

This is going to be a long post. Sorry. I didn’t have time to write a shorter one. Who should be responsible for setting up email authentication records? For years, I have been discussing the virtues of publishing email authentication records including SPF, DKIM, and DMARC. There are plenty of tutorials and documentation on the…


The common types of spear phish we see today

As 2015 draws near to a close, I thought I’d write a blog post about the type of spear phishes we are seeing lately against our customer base. This is not general brand phish like someone spoofing Paypal, but instead a phisher trying to impersonate your domain, for example, if the domain under attack is…


Exchange Online is rolling out default DKIM-signing to everyone

If you are a customer of Office 365 (Exchange Online Protection, or EOP), you may have noticed, or will be noticing, that we are adding DKIM signatures to your outgoing email, even if you haven’t explicitly enabled DKIM-signing for your domain (see instructions here: We are gradually rolling this out to everyone. If you…


DMARC one year later, and what have we learned?

It has been one year since I posted that Office 365 now supports inbound DMARC verification. What do we see in terms of how much mail it blocks in production? Well, we’ve learned a lot of things; some of it good, and some of it bad. I took a look at our network-wide statistics yesterday…


How Office 365 does automatic DKIM key rotation

As you can see from one of my other posts, Office 365 now lets you sign your outbound email with DKIM signatures. One of the key differences between how we do it and how almost every other service does it is that instead of requiring the customer to publish the public key in DNS (and…