Tag Archives: Manage

Exchange Online Protection enhancements—part 2

Shobhit Sahay is a technical product manager on the Exchange Online team.

In part 1 of the post, we announced some new and exciting features in Exchange Online Protection (EOP). In this post, we’ll look at more new features that are coming to Exchange Online Protection. Let’s get straight to them.

  • Users can now access their spam quarantine
  • Support added for DomainKeys Identified Mail (DKIM)
  • Enhanced support for IPv6
  • New match subdomains feature
  • You can now manage users and groups directly in the EAC
  • Geocentric affinity is being expanded

Users can now access their spam quarantine

Exchange Online Protection and Exchange Online users will soon be able to access and manage their own spam-quarantined messages via the web using the spam quarantine page in the Exchange admin center (EAC). In order to access the spam quarantine page, users must have a valid Office 365 user ID and password. For information about managing users in EOP standalone plans, admins can refer to Manage Mail Users in EOP.  You can use directory synchronization to automate the process and, optionally, synchronize passwords.

Users can now access their own spam-quarantined messages in the Exchange admin center.

Users can now access their own spam-quarantined messages in the Exchange admin center.

Users can search their spam quarantine for a particular message, using criteria such as received date and subject in order to narrow down the list of messages shown.

You search spam-quarantined messages in Exchange Online Protection.You can perform advanced search on spam-quarantined messages.

Users can also release individual messages from their spam quarantine for delivery to their inbox.

You can release individual messages from spam quarantine to your inbox.

You can release individual messages from spam quarantine to your inbox.

In addition, you can report messages as “not junk” to the Microsoft Spam Analysis Team, who will evaluate and analyze the message. Depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through. Reporting the message as not junk also releases the message to your inbox.

Report a spam-quarantined message as “not junk,” and it’s released to your inbox.

When you report a message as “not junk,” it’s released to your inbox.

You can view details of how a message was received by clicking the View Message Header… link to get the SMTP header portion of the message. You can access the View Message Header… link on the page that lists all your spam-quarantined messages, under message details.

You can view details about a spam-quarantined message in Exchange Online Protection.

Viewing the message header for an individual message gives you details about how it was received.

Support added for DomainKeys Identified Mail (DKIM)

EOP will begin supporting inbound validation of Domain Keys Identified Mail (DKIM; seeDomainKeys Identified Mail Signatures). DKIM is a method of validating a digitally signed message that appears in the DKIM-Signature header in the message headers. It ties an email message to the organization responsible for the message.

Initially, DKIM verification will be restricted only to messages over IPv6. In a future release, EOP will verify all inbound messages signed with DKIM over IPv4.

The results of a DKIM-Signature validation will be stamped in the Authentication-Results header, which conforms with RFC 7001 (Message Header Field for Indicating Message Authentication Status).

Customers will be able to write Exchange Transport Rules (ETRs) on the results of a DKIM validation to filter or route messages as needed. For example:

Authentication-Results: contoso.com; dkim=pass (signature was verified) header.d=example.com;

In a future release, we will also provide DKIM signing.

Enhanced support for IPV6

EOP will begin supporting the ability to receive email over IPv6 from senders who do not send messages over Transport Layer Security (TLS). Admins can permit users to opt in to receive email over IPv6 by requesting it from the EOP Support team. If they do not opt in, they will receive email over IPv4. There will be limited availability for inbound IPv6 for the first few months, and you will have to opt in manually. In a future release, customers will be able to opt in via remote PowerShell or through the Exchange admin center.

Senders who transmit to the service over IPv6 must comply with the following two requirements:

  1. The sending IPv6 address must have a valid PTR record (reverse DNS record of the sending IPv6 address).
  2. The sender must pass either SPF verification (defined in RFC 4408) or DKIM verification (defined in RFC 6376).

If both of these criteria are met, the message will go through normal email filtering. If one or the other is not met, the email address will be rejected with a 554 response and the sending email server may not retry sending the message over IPv4. Here are examples a 554 response to the failure to meet these criteria:

554 5.7.1 Service unavailable, sending IPv6 address [2a01:111:f200:2004::240] must have reverse DNS record
554 5.7.1 Service unavailable, message sent over IPv6 [2a01:111:f200:2004::240] must pass either SPF or DKIM validation (message not signed).

If the receiving customer has not opted in to IPv6 and the sender tries to force a message over IPv6, the email message will be rejected with a 550 response.  Here’s an example of such a rejection:

550 5.2.1 Service unavailable, [contoso.com] does not accept email over IPv6.

New match subdomains feature

The match subdomains feature enables you to send and receive emails on subdomains of a provisioned domain (aka Accepted Domain) in Office 365.

When the match subdomains feature is enabled for a domain, emails can be sent and received for subdomains on this domain. For example, if contoso.com is a provisioned domain and match subdomains support is enabled, users can send emails to or receive emails from a.contoso.com, b.contoso.com, a.b.contoso.com, and other subdomains.

This feature is for EOP standalone customers and for customers who have a hybrid environment with  mailboxes that reside on-premises. It is applicable only for the Internal Relay domain type.

To access this feature, in the Exchange admin center, click mail flow, and then click accepted domains. You will see a list of accepted domains.

You can match subdomains in Exchange Online Protection.

To match subdomains for a particular domain, double-click the domain on the mail flow page in the EAC.

Double-click the domain (for example, contoso.com) for which you want to enable the match subdomains feature. On that domain’s page, select the Accept mail for all subdomains checkbox, and then click Save.

Enable match subdomains to accept email for all subdomains of an accepted domain.Once you enable match subdomains for an accepted domain, your organization will accept email for all subdomains of that domain.

This enables the match subdomains feature for a domain.

Once the feature is enabled for the domain, Office 365 will be able to deliver to mailboxes in your on-premises environment emails that have email addresses on any of the subdomains.

You can now manage users and groups directly in the EAC

EOP offers several ways to manage your mail recipients, domains, and company information. EOP standard and Exchange Enterprise CAL with Services tenants can now directly manage recipients from within the Exchange admin center (EAC). This includes the ability to add, edit, or delete mail-enabled users (mail recipients who are internal to the organization) from the EAC and the ability to use mail enabled users as part of filtering policies and rules.

To add mail users and groups directly to the EAC, follow the instructions provided in in Manage Mail Users in EOP (see the Use the EAC to manage mail users section) and Manage Groups in EOP. Previously, only a view-only mode was possible for users, and group functionality was not available.

Geocentric affinity is being expanded

EOP runs on a worldwide network of Office 365 data centers that are designed to provide the best availability. Today we have data centers in different regions such as North America and EMEA, including a Government Community Cloud in the U.S. We maintain geocentric affinity in these two regions, meaning that the data sent within a region is processed within that region.

We’re expanding geocentric affinity for EOP to the Asia-Pacific (APAC) region. Currently, all Exchange Online mailboxes for APAC customers are already located in APAC data centers, and later this year messages will be routed through APAC data centers for EOP

You can learn more about the geocentric affinity in the EOP data centers section of the Exchange Online Protection Overview.

We have a lot more enhancements to EOP coming down the pipeline, but for now, we look forward to seeing you use these new features.

–Shobhit Sahay


Exchange Online Protection enhancements — Part 1

To give you enterprise-class reliability and help protect against spam and malware, we launchedExchange Online Protection (EOP) in 2013. During the past year we made improvements to EOP, including better spam management and customizing policies for specific domains, users, or groups. Today, as we complete the first year of the service launch, we‘re announcing more enhancements to EOP, including:

  • Directory-based edge blocking
  • Increased Office 365 domain limit
  • Message Trace extended for 90 days
  • Enhanced mail protection reporting
  • Remote PowerShell
  • Junk mail reporting for OWA

This is just the first set of enhancements. A second set of enhancements will be announced at theMicrosoft Exchange Conference (MEC) 2014, and we’ll introduce those in another blog post, Part 2, around that time. For now, let’s look at the new capabilities we’re announcing today.

Directory-based edge blocking

Recently announced on the EHLO blog, Directory-based edge blocking (DBEB) allows you to reject messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to Azure Active Directory and block all messages sent to email addresses that aren’t present in Azure Active Directory.

Increased Office 365 domain limit

We increased the maximum number of domains per tenant allowed in Office 365 by 50%, from 600 domains to 900 domains. The increase is automatic, so admins don’t need to do anything to take advantage of this improvement. You can add up to 900 domains from your Office 365 admin portal or via remote PowerShell.

Message Trace extended for 90 days

Exchange Online Protection and Exchange Online admins can now obtain message trace information for the last 90 days. To access this feature, in the Exchange admin center, click Mail flow, and then click Message trace.

When you search for a message sent in the past seven days, you can view the results immediately. When searching for older messages, you have to submit a request for an extended message trace. Just choose the custom date range option and specify any date range in the past 90 days.


On the message trace page, you can create a trace for a message by entering custom dates during the last 90 days.

In addition to searching by a custom date range, you can use these search criteria for an extended message trace: date range, sender, recipient, status, message ID, and sender client IP address.

When you create a new extended trace request, you can provide a friendly report title for the request. If you want to receive an email notification when the trace has been completed, you just enter your email address.


When you create an extended message trace request, you can give it a friendly title and provide an email address to receive a notification when the request has been completed.

When you’re creating a new extended trace request, you can choose to receive a summary list report or a detailed message trace report.

  • Summary list report. A summary list report displays basic information about the messages you traced, such as time, whether the message was delivered, the subject of the message, number of bytes, and so on.
  • Detailed message trace report. When you need more details about messages than a summary list report provides, you can get a detailed trace of the events logged for the messages. To get a detailed report, when you’re creating a new trace request, select theInclude message events and routing details with report check box. In a detailed trace, all key events with all details that are available in the message tracking logs are exposed, providing a rich data source for detailed investigations.

We recommend that Exchange Online administrators use the extended detailed message trace rather than delivery reports for investigating message delivery. Delivery reports are intended for end users and is limited to recent messages only.

Typically, trace requests are processed within hours. The list of submitted requests and their status is displayed on the pending or completed traces page in the Exchange admin center, making it easy to check if your request has been completed.


You can easily check the status of requests by checking the list of extended message trace requests displayed on the pending or complete traces page in the Exchange admin center.

Once a message trace request has completed processing, you can click Download this report in the right-hand nav to view the results in a downloadable CSV file.

Enhanced mail protection reporting

Beginning in the early spring of 2014, mail protection reports will include a more interactive reporting experience for Exchange Online and Exchange Online Protection admins. The reports can be accessed from the Office 365 admin center, just as they are today. When you click a report link, such as the spam detections report, a new window opens and displays an interactive chart with summary level information.


Reports, like this spam detections report, now include interactive charts and summary information. 

You can select the appropriate date range to see up to 90 days of summary data. You can also change the view to see only messages that match specific criteria, by altering the series slicers located on the right side of the graph. For example, if you want to view only content-filtered spam detections, select only Content filtered from the slicers options. Some reports may also have parameters above the graph that let you further narrow your criteria.

For detailed message data, click a specific data point in the graph. When you select a point, the message details are displayed below the graph in a table. The table allows you to page through the detailed messages if there are more records than can be displayed on one page.


Click a point on a Spam detections report chart to see more detailed data.

Detailed data for messages that are older than 7 days is also available for download. This is displayed as the area in the graph with a light gray background. When you select a data point in the summary graph for data older than 7 days, a Request this report link is displayed on the page.


When you click a point on a Spam detections report chart that is older than 7 days, a link to request an extended detailed report appears.

When you click the Request this report link, a new page opens that lets you provide notification information and further filter the request.


When you create an extended report from a chart, you can specify the information you want and whether you want to be notified when the report is completed.

When you click Submit, the query is submitted for processing. If you provided a notification address, the specified recipient will receive an email notification when it has completed. To view the status of requests, click the Report request queue link from the main page. This opens the pending or completed queries page, where you can see the status of any of your outstanding requests. From here you can cancel pending requests or download a completed request.


You can view the status of your extended report requests on the pending or completed queries page.

Remote PowerShell

We’re currently deploying an update that will allow EOP standard tenants to use remote PowerShell to manage their EOP settings. After deployment, EOP standard tenants can use the extensive scripting power of PowerShell to automate a wide variety of management tasks. Learn more aboutPowerShell in Exchange Online Protection

For example, you can use remote PowerShell to:

  • Add or modify transport rules.
  • Add or modify connectors.
  • Search through all transport rules to find every rule that references a particular domain or user.
  • Modify anti-malware and anti-spam filtering settings.
  • Manage users and groups—coming soon.


EOP standard tenants can now use remote Windows PowerShell to manage their EOP settings.

Junk mail reporting for OWA

OWA Junk mail reporting will now allow OWA users to move missed spam in the inbox or legitimate mail in the junk mail folder to the correct location and report the message to Microsoft with a few clicks. Exchange Online Protection (EOP), the mail protection service included with Office 365, relies on these submissions to improve the accuracy of the junk mail filter, which means less junk in your inbox in the future.

Report a false negative or false positive by clicking the ellipsis in the upper right hand corner of a message and selecting mark as junk or mark as not junk. Alternatively, you can right-click a message to get the same options (OWA Desktop only).

EOP_enhancements_10        EOP_enhancements_11

You can easily report junk mail in OWA on your computer.

EOP_enhancements_12_cropped        EOP_enhancements_13_cropped

And just as easily report junk mail in OWA for devices.

Closer to the time of MEC 2014, when more new capabilities and enhancements are announced, we’ll introduce some of those new capabilities and enhancements in another blog post, Part 2, including:

  • End user access to quarantine
  • Enhanced support for IPV6
  • Domain Keys Identified Mail (DKIM)
  • Match subdomains

Most of this road map information is publicly available on our FOPE vs EOP TechNet page.

We hope you’ll enjoy using the improvements we introduced in this blog post in your EOP tenants. And if you haven’t yet registered for MEC 2014 and want to learn more in person about these features, now is the time. Register today at www.iammec.com.

–Shobhit Sahay