Office365/EOP and Outlook.com/Hotmail will converge

Terry Zink posted two informative blog posts recently, the first being the change to unauthenticated mail sent over IPv6 to EOP and the second post about EOP (Office365 and Exchange Hosting) and Outlook.com/Hotmail infrastructure converging.
Exchange Online Protection (EOP) is the filtering system in place for Office 365 and hosted Exchange customers. Outlook.com/Hotmail utilized its own mail filtering system and provides SNDS/JMRP programs.  EOP is setup for redundancy, failover, provides geo-region servers to serve customers, and has supported TLS for over a decade.  Terry explains that Hotmail’s spam filtering technology is more advanced than EOP’s, but EOP’s backend platform is more advanced. The process to convert Outlook.com/Hotmail to use EOP’s filtering system started six months ago and is still a work in progress. Once completed, Outlook.com/Hotmail and Office365/EOP will share the same UX look and feel. The anti-spam technologies will be able to be shared between the two as they will share the same backend infrastructure.
Some of the challenges of merging the two systems include:

  • Outlook.com/Hotmail displays a green shield for senders who are heavily spoofed but authenticate, Outlook Web Access (Office365/EOP) currently does not.
  • Improving backscatter protection so that when a spammer spoofs your email address and the receiving mail server sends an NDR, the NDR does not go to your inbox since you did not send the original message.
  • EOP and Outlook.com/Hotmail both support DMARC, but handles them differently.
  • EOP currently does not send DMARC reports and fixes need to be made to the MTA so that they will be sent.  Outlook.com/Hotmail currently sends DMARC reports.
  • EOP has DKIM-signing on the public road map and once Outlook.com/Hotmail is converted to EOP, they would like to enable DKIM signing for Outlook.com/Hotmail too.

Terry also mentioned that he is non-committal on whether or not Outlook.com/Hotmail will publish a p=reject DMARC report.  He mentioned there are many considerations that must be factored before making a decision but has not ruled out the possibility. In the comments, someone asked about the impact to the SNDS and JMRP programs with the transition of Outlook.com/Hotmail to EOP and Terry says there will be no impact in the near term and they would like to include EOP into Hotmail’s SNDR/JMRP program.

Email verification services
April 2015: The Month in Email

Related Posts

Hotmail having a bad day

Looks like Hotmail / Microsoft is having a rather bad day. Their DNS seems to be intermittent. While they were down a while ago they were returning SERVFAIL for some DNS lookups, including MX lookups.
For senders who have the DNS data in their recursive resolvers, this will have no impact. For senders who either don’t have the data cached or who have the data expire before the servers come back online there may be a transient increase in the number of bounces at Microsoft domains (Hotmail, Outlook, MSN.com, office365.com and the Microsoft corporate domains including microsoft.com and their other domains like xboxone.com).
 
 

Read More

Office365/EOP IPv6 changes starting today

Terry Zink at Microsoft posted earlier this week that Office365/Exchange Online Protection will have a significant change this week. Office365 uses Exchange Online Protection (EOP) for spam filtering and email protection. One of the requirements to send to EOP over IPv6 is to have the email authenticated with either SPF or DKIM.  If the mail sent to Office365/EOP over IPv6 is not authenticated with SPF or DKIM, EOP would reject the message with a 554 hard bounce message.  Most mail servers accept the 554 status code and would not retry the message.  After multiple 5xx hard bounces to an email address, many mail servers would unsubscribe the user from future email campaigns.  The update starting today April 24, will change the error status code for unauthenticated mail to EOP from a 554 hard bounce to a 450 soft bounce and a RFC-compliant and properly configured mail server would then retry the message.
Prior to April 24, 2015, EOP responds to unauthenticated mail with a status code of: “554 5.7.26 Service Unavailable, message sent over IPv6 must pass either SPF or DKIM validation”.

Read More

Hotmail moves to SPF authentication

Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences between SenderID and SPF were subtle and most senders who were getting a pass at Hotmail were already publishing SPF records.
From an email in my inbox from September:

Read More