According to Microsoft, they use the "onmicrosoft.com" domain name
for providing IMAP4 access, and as an SMTP fallback domain for
clients who don't have their own domain name:
Source:
https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-or-replace-your-onmicrosoftcom-domain?view=o365-worldwide
So, I wouldn't block anything other than SMTP ports 25 and 465.
However, there are some other key points in the above-referenced
documents that will likely be of interest, and getting clarification
from Microsoft's techincal support would, I think, be prudent.
"... When you sign up for Microsoft 365, Microsoft provides an
onmicrosoft.com domain - your fallback domain - in case you don't own
a domain, or don't want to connect it to Microsoft 365 ..."
That above excerpt seems to indicate that the "onmicrosoft.com"
domain name is for temporary use, perhaps while a user is in the
process of getting things configured. If this is true, then that's
nothing to worry about since users probably won't care if they're not
intending to be known as "${USERNAME}@onmicrosoft.com" anyway.
"... It serves as a default email routing address for your Microsoft
365 environment. When a user is set up with a mailbox, email is
routed to the fallback domain. Even if a custom domain is used (for
example, tailspintoys.com), if that custom domain is deleted from
your Microsoft 365 environment, the fallback domain ensures that your
user's email is successfully routed. ..."
The above excerpt seems to indicate that the "onmicrosoft.com"
domain name is used for internal routing. However, it doesn't
mention forwarding from this domain name, so that should probably be
discerned before blocking.
The other problem is that if Micorosoft's outbound mail is
identifying with their "onmicrosoft.com" domain instead of their
client's domain name (e.g., their client didn't complete one
particular step in the configuration; or Microsoft just wants to get
their brand stuffed into everyone's log files; etc.), then that could
be a problem. Again, I think it would be prudent to get some
clarification from Microsoft on these particulars prior to blocking
(unless, of course, you only find evidence of "all spam and no ham"
over the past year or whatever timeframe works best for your users).
> But
> https://learn.microsoft.com/en-us/microsoft-365/admin/setup/domains-faq?view=o365-worldwide
> says:
>
> "You can keep using the initial onmicrosoft.com domain even after you add
> your domain. It still works for email and other services, so it's your
> choice."
>
> ... or am I misunderstanding?
>
> I'm tempted to block *. onmicrosoft.com completely but I'm very afraid.
>
> On Sun, Jan 14, 2024 at 5:15AM Graeme Fowler via mailop <mailop@mailop.org>
> wrote:
>
> > On 13 January 2024 14:07:46 "L. Mark Stone via mailop" <mailop@mailop.org>
> > wrote:
> >
> >> Is there a list of "legitimate" subdomains of onmicrosoft.com somewhere
> >> that we can leverage?
> >>
> >
> > Wearing my "I have to administer a Microsoft 365 tenancy" hat - no.
> >
> > However, your mention of best practice is bang on. The subdomains of
> > onmicrosoft.com are tenant boundaries and not intended to be used for
> > email. Domains should be added, verified and configured properly for
> > outbound mail.
> >
> > I would personally say that you will lose practically no real email by
> > rejecting those subdomains completely - and if you get complaints from
> > actual M365 tenant customers, point them at the docs.
> >
> > Graeme
> > _______________________________________________
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> >
>
>
> --
> ===============================================
> Russell Clemings
> <rclemi...@gmail.com <russ...@clemings.com>>
> ===============================================
>
--
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
