Shobhit Sahay is a technical product manager on the Exchange Online team.
In part 1 of the post, we announced some new and exciting features in Exchange Online Protection (EOP). In this post, we’ll look at more new features that are coming to Exchange Online Protection. Let’s get straight to them.
- Users can now access their spam quarantine
- Support added for DomainKeys Identified Mail (DKIM)
- Enhanced support for IPv6
- New match subdomains feature
- You can now manage users and groups directly in the EAC
- Geocentric affinity is being expanded
Users can now access their spam quarantine
Exchange Online Protection and Exchange Online users will soon be able to access and manage their own spam-quarantined messages via the web using the spam quarantine page in the Exchange admin center (EAC). In order to access the spam quarantine page, users must have a valid Office 365 user ID and password. For information about managing users in EOP standalone plans, admins can refer to Manage Mail Users in EOP. You can use directory synchronization to automate the process and, optionally, synchronize passwords.
Users can now access their own spam-quarantined messages in the Exchange admin center.
Users can search their spam quarantine for a particular message, using criteria such as received date and subject in order to narrow down the list of messages shown.
Users can also release individual messages from their spam quarantine for delivery to their inbox.
You can release individual messages from spam quarantine to your inbox.
In addition, you can report messages as “not junk” to the Microsoft Spam Analysis Team, who will evaluate and analyze the message. Depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through. Reporting the message as not junk also releases the message to your inbox.
When you report a message as “not junk,” it’s released to your inbox.
You can view details of how a message was received by clicking the View Message Header… link to get the SMTP header portion of the message. You can access the View Message Header… link on the page that lists all your spam-quarantined messages, under message details.
Viewing the message header for an individual message gives you details about how it was received.
Support added for DomainKeys Identified Mail (DKIM)
EOP will begin supporting inbound validation of Domain Keys Identified Mail (DKIM; seeDomainKeys Identified Mail Signatures). DKIM is a method of validating a digitally signed message that appears in the DKIM-Signature header in the message headers. It ties an email message to the organization responsible for the message.
Initially, DKIM verification will be restricted only to messages over IPv6. In a future release, EOP will verify all inbound messages signed with DKIM over IPv4.
The results of a DKIM-Signature validation will be stamped in the Authentication-Results header, which conforms with RFC 7001 (Message Header Field for Indicating Message Authentication Status).
Customers will be able to write Exchange Transport Rules (ETRs) on the results of a DKIM validation to filter or route messages as needed. For example:
Authentication-Results: contoso.com; dkim=pass (signature was verified) header.d=example.com;
In a future release, we will also provide DKIM signing.
Enhanced support for IPV6
EOP will begin supporting the ability to receive email over IPv6 from senders who do not send messages over Transport Layer Security (TLS). Admins can permit users to opt in to receive email over IPv6 by requesting it from the EOP Support team. If they do not opt in, they will receive email over IPv4. There will be limited availability for inbound IPv6 for the first few months, and you will have to opt in manually. In a future release, customers will be able to opt in via remote PowerShell or through the Exchange admin center.
Senders who transmit to the service over IPv6 must comply with the following two requirements:
- The sending IPv6 address must have a valid PTR record (reverse DNS record of the sending IPv6 address).
- The sender must pass either SPF verification (defined in RFC 4408) or DKIM verification (defined in RFC 6376).
If both of these criteria are met, the message will go through normal email filtering. If one or the other is not met, the email address will be rejected with a 554 response and the sending email server may not retry sending the message over IPv4. Here are examples a 554 response to the failure to meet these criteria:
554 5.7.1 Service unavailable, sending IPv6 address [2a01:111:f200:2004::240] must have reverse DNS record
554 5.7.1 Service unavailable, message sent over IPv6 [2a01:111:f200:2004::240] must pass either SPF or DKIM validation (message not signed).
If the receiving customer has not opted in to IPv6 and the sender tries to force a message over IPv6, the email message will be rejected with a 550 response. Here’s an example of such a rejection:
550 5.2.1 Service unavailable, [contoso.com] does not accept email over IPv6.
New match subdomains feature
The match subdomains feature enables you to send and receive emails on subdomains of a provisioned domain (aka Accepted Domain) in Office 365.
When the match subdomains feature is enabled for a domain, emails can be sent and received for subdomains on this domain. For example, if contoso.com is a provisioned domain and match subdomains support is enabled, users can send emails to or receive emails from a.contoso.com, b.contoso.com, a.b.contoso.com, and other subdomains.
This feature is for EOP standalone customers and for customers who have a hybrid environment with mailboxes that reside on-premises. It is applicable only for the Internal Relay domain type.
To access this feature, in the Exchange admin center, click mail flow, and then click accepted domains. You will see a list of accepted domains.
To match subdomains for a particular domain, double-click the domain on the mail flow page in the EAC.
Double-click the domain (for example, contoso.com) for which you want to enable the match subdomains feature. On that domain’s page, select the Accept mail for all subdomains checkbox, and then click Save.
This enables the match subdomains feature for a domain.
Once the feature is enabled for the domain, Office 365 will be able to deliver to mailboxes in your on-premises environment emails that have email addresses on any of the subdomains.
You can now manage users and groups directly in the EAC
EOP offers several ways to manage your mail recipients, domains, and company information. EOP standard and Exchange Enterprise CAL with Services tenants can now directly manage recipients from within the Exchange admin center (EAC). This includes the ability to add, edit, or delete mail-enabled users (mail recipients who are internal to the organization) from the EAC and the ability to use mail enabled users as part of filtering policies and rules.
To add mail users and groups directly to the EAC, follow the instructions provided in in Manage Mail Users in EOP (see the Use the EAC to manage mail users section) and Manage Groups in EOP. Previously, only a view-only mode was possible for users, and group functionality was not available.
Geocentric affinity is being expanded
EOP runs on a worldwide network of Office 365 data centers that are designed to provide the best availability. Today we have data centers in different regions such as North America and EMEA, including a Government Community Cloud in the U.S. We maintain geocentric affinity in these two regions, meaning that the data sent within a region is processed within that region.
We’re expanding geocentric affinity for EOP to the Asia-Pacific (APAC) region. Currently, all Exchange Online mailboxes for APAC customers are already located in APAC data centers, and later this year messages will be routed through APAC data centers for EOP
You can learn more about the geocentric affinity in the EOP data centers section of the Exchange Online Protection Overview.
We have a lot more enhancements to EOP coming down the pipeline, but for now, we look forward to seeing you use these new features.