Office365/EOP and Outlook.com/Hotmail will converge

Terry Zink posted two informative blog posts recently, the first being the change to unauthenticated mail sent over IPv6 to EOP and the second post about EOP (Office365 and Exchange Hosting) and Outlook.com/Hotmail infrastructure converging.
Exchange Online Protection (EOP) is the filtering system in place for Office 365 and hosted Exchange customers. Outlook.com/Hotmail utilized its own mail filtering system and provides SNDS/JMRP programs.  EOP is setup for redundancy, failover, provides geo-region servers to serve customers, and has supported TLS for over a decade.  Terry explains that Hotmail’s spam filtering technology is more advanced than EOP’s, but EOP’s backend platform is more advanced. The process to convert Outlook.com/Hotmail to use EOP’s filtering system started six months ago and is still a work in progress. Once completed, Outlook.com/Hotmail and Office365/EOP will share the same UX look and feel. The anti-spam technologies will be able to be shared between the two as they will share the same backend infrastructure.
Some of the challenges of merging the two systems include:

  • Outlook.com/Hotmail displays a green shield for senders who are heavily spoofed but authenticate, Outlook Web Access (Office365/EOP) currently does not.
  • Improving backscatter protection so that when a spammer spoofs your email address and the receiving mail server sends an NDR, the NDR does not go to your inbox since you did not send the original message.
  • EOP and Outlook.com/Hotmail both support DMARC, but handles them differently.
  • EOP currently does not send DMARC reports and fixes need to be made to the MTA so that they will be sent.  Outlook.com/Hotmail currently sends DMARC reports.
  • EOP has DKIM-signing on the public road map and once Outlook.com/Hotmail is converted to EOP, they would like to enable DKIM signing for Outlook.com/Hotmail too.

Terry also mentioned that he is non-committal on whether or not Outlook.com/Hotmail will publish a p=reject DMARC report.  He mentioned there are many considerations that must be factored before making a decision but has not ruled out the possibility. In the comments, someone asked about the impact to the SNDS and JMRP programs with the transition of Outlook.com/Hotmail to EOP and Terry says there will be no impact in the near term and they would like to include EOP into Hotmail’s SNDR/JMRP program.

Related Posts

Hotmail moves to SPF authentication

Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences between SenderID and SPF were subtle and most senders who were getting a pass at Hotmail were already publishing SPF records.
From an email in my inbox from September:

Read More

SNDS is back

For years now, Microsoft has maintained Smart Network Data Services (SNDS) for anyone sending mail to Hotmail/Outlook/Live.com. This is a great way for anyone responsible for an IP sending mail to hotmail to monitor what traffic Hotmail is seeing from that IP address.
This morning I got up to a number of people complaining that logins were failing on the website and the API was down. I contacted the person behind SNDS and they confirmed there was a problem and they were fixing it.
Sometime this afternoon it was possible to login to the SNDS interface again, so it looks like they did fix it.
A bit of a warning, though, don’t expect to see any of the data from the last few days. There seems to be something with SNDS that means that when the service is down data isn’t collected or available. In the past when there have been problems, older data was not populated when the service came back.

Read More

Hotmail having a bad day

Looks like Hotmail / Microsoft is having a rather bad day. Their DNS seems to be intermittent. While they were down a while ago they were returning SERVFAIL for some DNS lookups, including MX lookups.
For senders who have the DNS data in their recursive resolvers, this will have no impact. For senders who either don’t have the data cached or who have the data expire before the servers come back online there may be a transient increase in the number of bounces at Microsoft domains (Hotmail, Outlook, MSN.com, office365.com and the Microsoft corporate domains including microsoft.com and their other domains like xboxone.com).
 
 

Read More