Back
Outlook

Outlook.com increases security with support for DMARC and EV certificates

In a previous blog post, we talked about our goal of making Outlook.com the best and most-used personal email service on the planet. That means building a great service with all the features you expect from modern email, but it also means building a service that is known for world-class reliability, industry leading spam protection and rock solid security features.  Today we’re announcing two new enhancements to Outlook.com that help protect your email. 

Over the past several weeks since we announced Outlook.com, we’ve continued to work to deliver you the highest levels of security and protection technologies.  Today, we are excited to announce two important new security features that help fight common phishing attacks and provide you with even more protection.  The first is complete support for DMARC, a standard that makes it harder for someone to deliver phishing mail to your inbox.  And the second is support for Extended Validation Certificates (EV Certificates), which provides a more secure SSL connection when you are using Outlook.com. We’re proud to be the first major email service to provide this higher level of safety and security. Taken together, these new security measures help prevent attackers from stealing your account information and protect your account from phishing attacks.

DMARC protects you and email senders from phishing attacks

One example of a common phishing attack is when someone fakes the sender’s address, and uses that to try to trick someone into giving up personal information.  For example, an attacker could send mail that looks like it is from a legitimate bank and ask for account verification to trick someone into giving their account name and password.  The attacker could then use that name and password to access the actual bank account.  Today we help prevent these phishing attacks by supporting email authentication standards for sending and receiving email–including SPF, SenderID and DKIM–as well as our own email filtering technology. 

DMARC is a new policy enforcement and reporting standard that builds on SPF and DKIM providing more deterministic outcomes of authentication-failed messages.  Microsoft has been a core participant in the DMARC standards body since its inception. We share their mission to fight against domain-based phishing, along with Facebook, PayPal, Gmail, ReturnPath and others. This standard helps prevent phishing mail from getting into your inbox, and helps senders understand when an attacker is trying to send phishing mail from their domains. 

Our DMARC implementation helps protect you by making it easier to visually identify mail from senders as legitimate, and helps keep spam and phishing messages from ever reaching your inbox. If a sender supports DMARC, we put a trusted sender logo next to their email indicating it is legitimate. The effect is cumulative; the more the email sending services that use DMARC, the broader the protection offered against phishing. 

DMARC helps protect email sending services by giving them valuable information about mail coming from their domain.  As part of DMARC, senders get reports on email that comes from their domain (good and bad), as well as how much of their traffic is passing/failing email authentication checks. This info helps them plan their authentication deployment as well as better understand the nature of the attacks on their domains.  They can also request that messages using their domain that fail authentication be quarantined or rejected, and receive data extracted from failed messages such as header information and URIs from the message body, to provide them visibility into the types of attacks that are targeting their brands.

This combination of protection for readers and senders allows DMARC to help the entire email ecosystem and we are happy to be fully compliant with DMARC for received mail. 

EV certificates – taking SSL to the next level

A second type of phishing happens when an attacker puts up a website that pretends to be from one company, but is actually from another.  SSL is an important part of protecting against phishing, but there have been recent cases where some SSL certificates have been compromised, which allowed attackers to impersonate SSL sites.  EV Certificates make your browsing experience more secure than plain SSL by adding confidence that you are interacting with a trusted website and that your information is secure. 

EV certificates are deeply vetted by the Certificate Authority, providing significant assurance that you can trust the sites that use them.  These certificates require a minimum of 2048-bit encryption, which is far more secure than what is commonly used with standard SSL.  The green address bar in your browser provides immediately recognizable assurance that your connection to the service is as secure as it can be from prying eyes. Contrast that with the key length standard SSL uses-in many cases, it can be fairly low, creating a false sense of security.  EV certificates deter phishing attacks by preventing malicious sites from masquerading as the trusted service. While malicious sites might try to impersonate a site’s UI or brand, they cannot replicate the browser’s green bar.  And by deploying EV certificates broadly we can apply 2048 bit encryption not just to your login, but to your actual mail content as well.

EV certificate support in Outlook.com is rolling out now, and will be coming soon to SkyDrive and our other services.  And of course, the same level of protection is extended to Hotmail.com and Live.com customers while they are upgrading to Outlook.com.  We have chosen one of the most-trusted Certificate Authorities (CA) to issue our EV certificates–Symantec. You can easily verify the authenticity of our webpages by using the enhanced display supported by most browsers, which includes the name of the company or entity that owns the certificate–in this case Microsoft Corporation–and a distinctive green color shown in the address bar to indicate that a valid EV certificate was received.

 

Outlook.com security 

 

 

 

 

 

 

 

 

 

 

 

Your security is a top priority

Security is a top concern when choosing an email service, and it’s a top priority for all Microsoft development efforts, products, and services. We’re never done and will always keep improving.  But we believe that Outlook.com is the best email service available, and now Outlook.com offers even more security enhancements that you won’t find anywhere else.

–Krish Vitaldevara, Outlook.com Program Management Team

Notice: Array to string conversion in D:\home\site\wwwroot\wp-includes\taxonomy.php on line 3255 Notice: Array to string conversion in D:\home\site\wwwroot\wp-includes\category-template.php on line 1245

Tags

Join the conversation

9 comments
  1. impressive keep up the good work you are building the best email service

  2. @Dirk, you have to work with whoever is hosting your custom domain to publish DMARC policy for the domain as part the DNS record of that domain. In most cases DMARC is useful for brands that are more susceptible to phishing and are phished frequently. Do you believe that your custom domain needs the same level of protection? You can read more about how to setup authentication and publish DMARC policy at http://www.dmarc.org or http://www.returnpath.com/solution-content/dmarc-support/how-to-implement/

  3. Will this work for custom domains, too? How do I configure my custom domains to work with DMARC?

  4. I’d LOVE to switch from the ugly and slow Google Apps to Windows Live Admin Center Outlook.com or whatever it is called now ;) But so many things which are even available at the "we have 20 customers Zoho service" are missing, Microsoft.

    1. I do have around 200 alias addresses. microsoft.com@example.com, websitebla.com@example.com, sendspamhere@example.com etc. In Google Apps I didn’t have to set up each account. I set up a main@example.com account when I signed up and enabled a wildcard account.

    I asked around a year ago and it was NOT possible to set up a wildcard (*@example.com) address using Windows Live Admin Center. Microsoft support recommended me (no kidding!) to create 200 and more alias accounts (all real accounts!) and fordward each and every alias account to my main@example.com Outlook.com (former Hotmail) account. It’s getting better: MSFT also told me to regulary log in to each account so that it doesn’t get deleted. So that means I can log in to hundreds of accounts every X weeks? If we would have 1986, I’d agree. In 2012 it’s kinda ridiculous! So, please allow custom domain users to set up a wildcard address.

    2. No IMAP. I know you want to urge.. sorry.. promote your super special synchronization protocol to your users, but accept that people want to use their existing IMAP clients (Pine or whetever) every once in a while.

    3. Skydrive: Fantastic. Great integration with Outlook. But I am not allowed to upload whatever I want to Skydrive. For example, I am not allowed to upload my beach photo cause it shows partial *nudity*. Sure, I could encrypt each and every photo but that doesn’t make sense, does it? I can understand if I would *share* photos, videos or whatever (legal problems, traffic… etc.)…

    4. No XMPP integration. Sure you want to promote Skype but why not allowing users to set up their existing XMPP accounts? That way you could easily steal millions of users from Google etc.

    5. Outlook.com address book: Even a 20 buck PDA allows me to set up custom photos for contacts. Not possible using Outlook.com? Oh please.

    • I don’t believe your third point which you have written for Skydrive.

  5. I’d love to see RSS feeds in outlook.com as i see in outlook application. I think microsoft should have a competitor for google reader.

  6. @Krish I have 2 questions:

    1) Mail I receive in Outlook.com from the domain paypal.nl gets a green shield, but there is no DMARC record published for the domain paypal.nl.

    2) We send e-mail, also out office mail, for example form the domain measuremail.com, that is fully DMARC compliant, but nog green shield appears in Outlook.com

    Could you please help me on these issues?

    • Today we use a mix of Authentication, sender reputation and sender’s susceptibility to phishing attacks to determine which senders to offer green shield to. DMARC and Authentication go hand in hand. If we only use authentication and/or DMARC without the other two factors you can see how spammers can use it to their advantage and try to increase the legitimacy of their campaigns. Hence the difference in behavior you noticed in those two cases. DMARC plays a pivotal role in significantly expanding the coverage for the trusted senders so please stay tuned.

Comments are closed.