Or Microsoft is sloppy as is everyone else now and then... but we suffer the consequences when it happens and they don't.
Unfortunately m$ is "too big to fail" and mail operators are apparently too afraid to make them play by the same rules everyone else is forced to play by (and particularly by the "big ones" like m$ or gmail ... ) and just let this kind of stuff to get by because "it's m$" or "it's gmail". It says a lot about the ecosystem... Regards, On Wed, May 14, 2025 at 3:34 PM Andrew C Aitchison via mailop < mailop@mailop.org> wrote: > On Tue, 13 May 2025, Thomas Johnson via mailop wrote: > > > We've seen something that is, frankly, a bit surprising to us. I'm > > hoping someone at Microsoft is on this list and can take a look. > > > > Microsoft has a "secure email" feature for Outlook. If an email is > > sent to an address outside of the O365 world, the recipient receives > > an email with a "click here to read your secure email". They click > > on the address and can then choose to "authenticate" by requesting a > > one-time passcode to be sent to their email address. > > > > We can debate how secure something like this is at another time. But > > here's what is so surprising to us: The email they send with the > > onetime passcode is **not** DKIM signed by Microsoft. > > > > The From: header looks like this: > > From: Microsoft Office 365 Message Encryption < > microsoftoffice...@messaging.microsoft.com> > > > > microsoft.com has a p=reject DMARC policy. > > > > We discovered the issue because we have an email forwarding feature > > that uses SRS so that the forwarded emails will pass SPF. We do not > > rewrite the From header. When this one-time passcode email is sent > > to a user that has a forward to a Gmail account, Google rejects the > > message for failing DMARC. SPF passes (due to the SRS rewrite), but > > without a DKIM signature aligned with the From: header, the message > > fails DMARC. > > I could argue that MS has deliberately not DKIM signed the message, > since if you have forwarded it, you could have read it > (or maybe even changed it?). > Thus they cannot guarantee that the secret is still secret. > > > We can rewrite the From headers (and add Reply-To) headers, I > > suppose, but that feels wrong. > > If so, you are making claims about the provenance; *Microsoft* are not. > > > What feels correct is that Microsoft DKIM sign their outbound mail. > > Especially if they have a DMARC policy to reject. But > > double-especially for something that is supposed to be part of a > > "Secure Email" feature. > > This is of course hypothetical; > I have no idea whether Microsoft have had thoughts along this line. > > -- > Andrew C. Aitchison Kendal, UK > and...@aitchison.me.uk > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > -- -- Paulo Azevedo
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
