What is Microsoft's anti-spoofing protection change?
Microsoft frequently enhances their spam filters to reduce spam and phishing email sent to their email users. One of their phishing email detection techniques (anti-spoofing protection) is to scan incoming email for the use of the authentication protocols SPF, DKIM, and DMARC.
Because many senders do not use email authentication and how difficult it can be to properly identify legitimate senders and detect phishing email, Microsoft tightened their email authentication requirements.
- Implicit email authentication: When a sender does not authenticate email using SPF, DKIM, or DMARC, Microsoft relies on other internal signals about the sender related to sending reputation, sending history with recipients, and behavioral analysis to indicate if the sender and email are legitimate.
- Explicit email authentication: Microsoft has used explicit email authentication on senders for years. Now, when a sender authenticates their email using SPF and/or DKIM, at least one of the domains must align with the sending From domain, or there must be other internal signals about the sender to indicate that the sender and email are legitimate.
How does it impact me?
- Anti-spoofing protection applies to domains external to your organization and to domains within your organization.
- Anti-spoofing protection is primarily focused on Office 365, but because Microsoft's spam filters all learn from each other, Outlook.com users may also be affected.
- B2B senders will likely see more of an impact than B2C senders. However, Microsoft may apply these changes for Outlook.com users in the future which will have a larger impact to B2C senders.
- Any email that can't be authenticated implicitly or explicitly will take the action defined in the mailbox provider's anti-phishing/anti-spoofing policy (set up by a company's email administrator).
- The anti-phishing/anti-spoofing policy may allow or filter an email that fails implicit or explicit email authentication.
- If no policy is defined, an email that fails implicit or explicit email authentication is filtered to the junk folder.
- Your email can pass SPF and DKIM authentication and still be perceived as phishing and sent to the junk folder if neither the SPF nor DKIM domain aligns with the sending From domain.
- DMARC requires domain alignment to work. If you implemented DMARC, the domain alignment requirement is already met.
- If you made a recent change to your domains where alignment between the SPF, DKIM, and sending From domain is no longer present, you may encounter delivery problems.
Recommendations
- Authenticate all email sent to Microsoft Office 365 and Outlook.com with SPF, DKIM, and DMARC. Authenticating your email does not guarantee inbox placement but it helps Microsoft identify you as a legitimate sender.
- Ensure your SPF record is updated with all current sending IPs or domains and is set up correctly.
- If you cannot implement DMARC, authenticate your email with SPF or DKIM (preferably both). Align the domain used for SPF or DKIM to your sending From domain.
- If your ESP authenticates your email with a shared DKIM domain, talk to them about adding DKIM using your unique domain.
- An ESP using two DKIM records on your email does not impact delivery.
- If you do not authenticate your email, align your Mfrom (Return-path) domain with your sending From domain and make sure you follow Microsoft's sending best practices.
- If sending email using a third party, work with them to align domains.
- If you are moving to a new ESP, hosting provider, or changing domains, strive for SPF, DKIM, and sending From domain alignment whether or not you authenticate your email. A new IP address or domain with no authentication, no domain alignment, and no sending history will have difficulty reaching the inbox.
Source