Re: [mailop] Microsoft doesn't DKIM sign one-time passcode emails

Wed, 14 May 2025 07:33:51 -0700 

On Tue, 13 May 2025, Thomas Johnson via mailop wrote:


We've seen something that is, frankly, a bit surprising to us. I'm
hoping someone at Microsoft is on this list and can take a look.

Microsoft has a "secure email" feature for Outlook.  If an email is
sent to an address outside of the O365 world, the recipient receives
an email with a "click here to read your secure email".  They click
on the address and can then choose to "authenticate" by requesting a
one-time passcode to be sent to their email address.

We can debate how secure something like this is at another time. But
here's what is so surprising to us: The email they send with the
onetime passcode is **not** DKIM signed by Microsoft.

The From: header looks like this:
        From: Microsoft Office 365 Message Encryption 
<microsoftoffice...@messaging.microsoft.com>

microsoft.com has a p=reject DMARC policy.

We discovered the issue because we have an email forwarding feature
that uses SRS so that the forwarded emails will pass SPF.  We do not
rewrite the From header.  When this one-time passcode email is sent
to a user that has a forward to a Gmail account, Google rejects the
message for failing DMARC.  SPF passes (due to the SRS rewrite), but
without a DKIM signature aligned with the From: header, the message
fails DMARC.


I could argue that MS has deliberately not DKIM signed the message,
since if you have forwarded it, you could have read it
(or maybe even changed it?).
Thus they cannot guarantee that the secret is still secret.


We can rewrite the From headers (and add Reply-To) headers, I
suppose, but that feels wrong.


If so, you are making claims about the provenance; *Microsoft* are not.


What feels correct is that Microsoft DKIM sign their outbound mail.
Especially if they have a DMARC policy to reject.  But
double-especially for something that is supposed to be part of a
"Secure Email" feature.


This is of course hypothetical;
I have no idea whether Microsoft have had thoughts along this line.

--
Andrew C. Aitchison                      Kendal, UK
                   and...@aitchison.me.uk
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to