This is a followup from a post a few weeks ago about authentication changes at Office365. We have some more clarity on what is going on there. This is all best information we have right now.
Microsoft is now requiring authentication to match the visible from address in order to reach the inbox at Office365. That means, either the SPF domain or the DKIM domain must align (in the DMARC sense) to the visible from domain. Simply, that means that the visible from and the signing domain must be identical or one must be a subdomain of the other.
The reason they’re doing this is to protect their users from forged emails. I can’t fault them for this at all. Many of their customers are SMBs. These businesses are targets for wire fraud, to the tune of tens of billions of dollars. In fact, one of the other companies my bookkeeper worked for in CA almost got roped in by this fraud back in 2016 or so.
Microsoft has always been looking for ways to validate the visible from address. That’s a big part of their push for SenderID, which suffered really poor uptake. This is leveraging the philosophy of DMARC and the improvement in support for authentication technology that’s developed over the last 15 years.
Adapting to this will be challenging for some ESPs, particularly those that service the SMB market. At many of these companies, handling technical issues is often handled by employees who manage technology as a small part of their job. Thus, there is a steep learning curve when trying to deploy new technology. Others have consultants or outsourced technology, many of whom are great at handling internal Windows networks and hardware, but don’t really get the intricacies of email authentication.
I see this as somewhat akin to Yahoo deploying DMARC p=reject. That was a significant and email breaking change implemented by Yahoo in response to specific security issues. This made it clear to other consumer mail providers, email intermediaries and receivers that DMARC was something they’d have to adapt to. That adaptation was neither easy nor cost free. But it did force a change in how ESPs were doing business.
Here, we have Office365 making a decision that is significant and email breaking, even for some of their customers. It may be that longer term we see other consumer webmail providers starting to tighten down their requirements for alignment even in the absence of a DMARC record. I don’t think it’s that unreasonable, ESPs have had 6 years to build the infrastructure to manage this.
The takeaway here is that if your customers are having problems getting mail into Office365, one of your first troubleshooting steps should be to ensure that authentication aligns with the visible from address. If it doesn’t fix that first. Of course, alignment is not magic wand into the inbox. If your content is spammy or your reputation is poor, your mail will go to the bulk folder.
Ignoring the ‘p=none’ directive rubs me the wrong way.
@jacob Microsoft is also ignoring the p=reject directives, so I’m not that surprised.
But at least that’s their policy, what surprises me instead is that over a month after rolling out the authentication policies Microsoft still manages to eff-up properly authenticated emails, with aligned and passing mechanisms. That’s way more gamebreaking than what they intended to do.
a lengthy read but…yeah..
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide