Hello-
We've seen something that is, frankly, a bit surprising to us. I'm hoping
someone at Microsoft is on this list and can take a look.
Microsoft has a "secure email" feature for Outlook. If an email is sent to an
address outside of the O365 world, the recipient receives an email with a
"click here to read your secure email". They click on the address and can then
choose to "authenticate" by requesting a one-time passcode to be sent to their
email address.
We can debate how secure something like this is at another time. But here's
what is so surprising to us: The email they send with the onetime passcode is
**not** DKIM signed by Microsoft.
The From: header looks like this:
From: Microsoft Office 365 Message Encryption
<microsoftoffice...@messaging.microsoft.com>
microsoft.com has a p=reject DMARC policy.
We discovered the issue because we have an email forwarding feature that uses
SRS so that the forwarded emails will pass SPF. We do not rewrite the From
header. When this one-time passcode email is sent to a user that has a forward
to a Gmail account, Google rejects the message for failing DMARC. SPF passes
(due to the SRS rewrite), but without a DKIM signature aligned with the From:
header, the message fails DMARC.
We can rewrite the From headers (and add Reply-To) headers, I suppose, but that
feels wrong.
What feels correct is that Microsoft DKIM sign their outbound mail. Especially
if they have a DMARC policy to reject. But double-especially for something
that is supposed to be part of a "Secure Email" feature.
Anyone at Microsoft reading this list?
Tom
--
Thomas Johnson
MailRoute, Inc.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
