Back
Office 365

Exchange Online Protection enhancements—part 2

Shobhit Sahay is a technical product manager on the Exchange Online team.

In part 1 of the post, we announced some new and exciting features in Exchange Online Protection (EOP). In this post, we’ll look at more new features that are coming to Exchange Online Protection. Let’s get straight to them.

  • User access to spam quarantine is now available
  • Support added for DomainKeys Identified Mail (DKIM)
  • Enhanced support for IPv6
  • New match subdomains feature
  • You can now manage users and groups directly in the EAC
  • Geocentric affinity is being expanded

Users access to spam quarantine is now available

Exchange Online Protection and Exchange Online users can now access and manage their own spam-quarantined messages via the web using the spam quarantine page in the Exchange admin center (EAC) by going to https://admin.protection.outlook.com/quarantine. In order to access the spam quarantine page, users must have a valid Office 365 user ID and password. EOP customers protecting on-premises mailboxes must be valid email users created via directory synchronization or in the EAC. For information about managing users in EOP standalone plans, admins can refer to Manage Mail Users in EOP.  You can use directory synchronization to automate the process and, optionally, synchronize passwords.

Users can now access their own spam-quarantined messages in the Exchange admin center.

Users can now access their own spam-quarantined messages in the Exchange admin center.

Users can search their spam quarantine for a particular message, using criteria such as received date and subject in order to narrow down the list of messages shown.

You search spam-quarantined messages in Exchange Online Protection.You can perform advanced search on spam-quarantined messages.

Users can also release individual messages from their spam quarantine for delivery to their inbox.

You can release individual messages from spam quarantine to your inbox.

You can release individual messages from spam quarantine to your inbox.

In addition, you can report messages as “not junk” to the Microsoft Spam Analysis Team, who will evaluate and analyze the message. Depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through. Reporting the message as not junk also releases the message to your inbox.

Report a spam-quarantined message as “not junk,” and it’s released to your inbox.

When you report a message as “not junk,” it’s released to your inbox.

You can view details of how a message was received by clicking the View Message Header… link to get the SMTP header portion of the message. You can access the View Message Header… link on the page that lists all your spam-quarantined messages, under message details.

You can view details about a spam-quarantined message in Exchange Online Protection.

Viewing the message header for an individual message gives you details about how it was received.

 

Support added for DomainKeys Identified Mail (DKIM)

EOP will begin supporting inbound validation of Domain Keys Identified Mail (DKIM; see DomainKeys Identified Mail Signatures). DKIM is a method of validating a digitally signed message that appears in the DKIM-Signature header in the message headers. It ties an email message to the organization responsible for the message.

Initially, DKIM verification will be restricted only to messages over IPv6. In a future release, EOP will verify all inbound messages signed with DKIM over IPv4.

The results of a DKIM-Signature validation will be stamped in the Authentication-Results header, which conforms with RFC 7001 (Message Header Field for Indicating Message Authentication Status).

Customers will be able to write Exchange Transport Rules (ETRs) on the results of a DKIM validation to filter or route messages as needed. For example:

In a future release, we will also provide DKIM signing.

Enhanced support for IPV6

EOP will begin supporting the ability to receive email over IPv6 from senders who do not send messages over Transport Layer Security (TLS). Admins can permit users to opt in to receive email over IPv6 by requesting it from the EOP Support team. If they do not opt in, they will receive email over IPv4. There will be limited availability for inbound IPv6 for the first few months, and you will have to opt in manually. In a future release, customers will be able to opt in via remote PowerShell or through the Exchange admin center.

Senders who transmit to the service over IPv6 must comply with the following two requirements:

  1. The sending IPv6 address must have a valid PTR record (reverse DNS record of the sending IPv6 address).
  2. The sender must pass either SPF verification (defined in RFC 4408) or DKIM verification (defined in RFC 6376).

If both of these criteria are met, the message will go through normal email filtering. If one or the other is not met, the email address will be rejected with a 554 response and the sending email server may not retry sending the message over IPv4. Here are examples a 554 response to the failure to meet these criteria:

If the receiving customer has not opted in to IPv6 and the sender tries to force a message over IPv6, the email message will be rejected with a 550 response.  Here’s an example of such a rejection:

 

New match subdomains feature

The match subdomains feature enables you to send and receive emails on subdomains of a provisioned domain (aka Accepted Domain) in Office 365.

When the match subdomains feature is enabled for a domain, emails can be sent and received for subdomains on this domain. For example, if contoso.com is a provisioned domain and match subdomains support is enabled, users can send emails to or receive emails from a.contoso.com, b.contoso.com, a.b.contoso.com, and other subdomains.

This feature is for EOP standalone customers and for customers who have a hybrid environment with  mailboxes that reside on-premises. It is applicable only for the Internal Relay domain type.

To access this feature, in the Exchange admin center, click mail flow, and then click accepted domains. You will see a list of accepted domains.

You can match subdomains in Exchange Online Protection.

To match subdomains for a particular domain, double-click the domain on the mail flow page in the EAC.

Double-click the domain (for example, contoso.com) for which you want to enable the match subdomains feature. On that domain’s page, select the Accept mail for all subdomains checkbox, and then click Save.

Enable match subdomains to accept email for all subdomains of an accepted domain.Once you enable match subdomains for an accepted domain, your organization will accept email for all subdomains of that domain.

This enables the match subdomains feature for a domain.

Once the feature is enabled for the domain, Office 365 will be able to deliver to mailboxes in your on-premises environment emails that have email addresses on any of the subdomains.

 

You can now manage users and groups directly in the EAC

EOP offers several ways to manage your mail recipients, domains, and company information. EOP standard and Exchange Enterprise CAL with Services tenants can now directly manage recipients from within the Exchange admin center (EAC). This includes the ability to add, edit, or delete mail-enabled users (mail recipients who are internal to the organization) from the EAC and the ability to use mail enabled users as part of filtering policies and rules.

To add mail users and groups directly to the EAC, follow the instructions provided in in Manage Mail Users in EOP (see the Use the EAC to manage mail users section) and Manage Groups in EOP. Previously, only a view-only mode was possible for users, and group functionality was not available.

 

Geocentric affinity is being expanded

EOP runs on a worldwide network of Office 365 data centers that are designed to provide the best availability. Today we have data centers in different regions such as North America and EMEA, including a Government Community Cloud in the U.S. We maintain geocentric affinity in these two regions, meaning that the data sent within a region is processed within that region.

We’re expanding geocentric affinity for EOP to the Asia-Pacific (APAC) region. Currently, all Exchange Online mailboxes for APAC customers are already located in APAC data centers, and later this year messages will be routed through APAC data centers for EOP
filtering.

You can learn more about the geocentric affinity in the EOP data centers section of the Exchange Online Protection Overview.

We have a lot more enhancements to EOP coming down the pipeline, but for now, we look forward to seeing you use these new features.

–Shobhit Sahay

Join the conversation

6 comments
  1. So when are we getting those? None of the tenants our customers use have gotten even the improvements listed in part 1 (DBEB, etc)

    • Same for us. Microsoft should evaluate a better way for informing the customers of the tenants, when feature upgrades are done or are at least estimated. This way its a walk in the dark.

  2. Is there a tenant based URL for those using federated authentication to bypass the main login page (which is then redirected to our adfs login page)? Specifically this url: https://admin.protection.outlook.com/quarantine is there a way to indicate our tenant so it rolls to our adfs login page?

    • Redirection is automatic and cannot be configured to route elsewhere. This is done for security purposes. The Identity Service in the cloud is used to create a token that is processed by the quarantine UI site to determine access. This service verifies that the user logging-in is known by/logged into your federated infrastructure and then issues the token for consumption by the site.

    • Thanks for the noticing the issue with the header text and providing feedback.

      There is nothing to administer in the end-user quarantine UI. What aspects of the feature are you looking to configure?

Comments are closed.