Outlook.com increases security with support for DMARC and EV certificates

In a previous blog post, we talked about our goal of making Outlook.com the best and most-used personal email service on the planet. That means building a great service with all the features you expect from modern email, but it also means building a service that is known for world-class reliability, industry leading spam protection and rock solid security features.  Today we’re announcing two new enhancements to Outlook.com that help protect your email. 

Over the past several weeks since we announced Outlook.com, we’ve continued to work to deliver you the highest levels of security and protection technologies.  Today, we are excited to announce two important new security features that help fight common phishing attacks and provide you with even more protection.  The first is complete support for DMARC, a standard that makes it harder for someone to deliver phishing mail to your inbox.  And the second is support for Extended Validation Certificates (EV Certificates), which provides a more secure SSL connection when you are using Outlook.com. We’re proud to be the first major email service to provide this higher level of safety and security. Taken together, these new security measures help prevent attackers from stealing your account information and protect your account from phishing attacks.

DMARC protects you and email senders from phishing attacks

One example of a common phishing attack is when someone fakes the sender’s address, and uses that to try to trick someone into giving up personal information.  For example, an attacker could send mail that looks like it is from a legitimate bank and ask for account verification to trick someone into giving their account name and password.  The attacker could then use that name and password to access the actual bank account.  Today we help prevent these phishing attacks by supporting email authentication standards for sending and receiving email–including SPF, SenderID and DKIM–as well as our own email filtering technology. 

DMARC is a new policy enforcement and reporting standard that builds on SPF and DKIM providing more deterministic outcomes of authentication-failed messages.  Microsoft has been a core participant in the DMARC standards body since its inception. We share their mission to fight against domain-based phishing, along with Facebook, PayPal, Gmail, ReturnPath and others. This standard helps prevent phishing mail from getting into your inbox, and helps senders understand when an attacker is trying to send phishing mail from their domains. 

Our DMARC implementation helps protect you by making it easier to visually identify mail from senders as legitimate, and helps keep spam and phishing messages from ever reaching your inbox. If a sender supports DMARC, we put a trusted sender logo next to their email indicating it is legitimate. The effect is cumulative; the more the email sending services that use DMARC, the broader the protection offered against phishing. 

DMARC helps protect email sending services by giving them valuable information about mail coming from their domain.  As part of DMARC, senders get reports on email that comes from their domain (good and bad), as well as how much of their traffic is passing/failing email authentication checks. This info helps them plan their authentication deployment as well as better understand the nature of the attacks on their domains.  They can also request that messages using their domain that fail authentication be quarantined or rejected, and receive data extracted from failed messages such as header information and URIs from the message body, to provide them visibility into the types of attacks that are targeting their brands.

This combination of protection for readers and senders allows DMARC to help the entire email ecosystem and we are happy to be fully compliant with DMARC for received mail. 

EV certificates – taking SSL to the next level

A second type of phishing happens when an attacker puts up a website that pretends to be from one company, but is actually from another.  SSL is an important part of protecting against phishing, but there have been recent cases where some SSL certificates have been compromised, which allowed attackers to impersonate SSL sites.  EV Certificates make your browsing experience more secure than plain SSL by adding confidence that you are interacting with a trusted website and that your information is secure. 

EV certificates are deeply vetted by the Certificate Authority, providing significant assurance that you can trust the sites that use them.  These certificates require a minimum of 2048-bit encryption, which is far more secure than what is commonly used with standard SSL.  The green address bar in your browser provides immediately recognizable assurance that your connection to the service is as secure as it can be from prying eyes. Contrast that with the key length standard SSL uses-in many cases, it can be fairly low, creating a false sense of security.  EV certificates deter phishing attacks by preventing malicious sites from masquerading as the trusted service. While malicious sites might try to impersonate a site’s UI or brand, they cannot replicate the browser’s green bar.  And by deploying EV certificates broadly we can apply 2048 bit encryption not just to your login, but to your actual mail content as well.

EV certificate support in Outlook.com is rolling out now, and will be coming soon to SkyDrive and our other services.  And of course, the same level of protection is extended to Hotmail.com and Live.com customers while they are upgrading to Outlook.com.  We have chosen one of the most-trusted Certificate Authorities (CA) to issue our EV certificates–Symantec. You can easily verify the authenticity of our webpages by using the enhanced display supported by most browsers, which includes the name of the company or entity that owns the certificate–in this case Microsoft Corporation–and a distinctive green color shown in the address bar to indicate that a valid EV certificate was received.

 

Outlook.com security 

 

 

 

 

 

 

 

 

 

 

 

Your security is a top priority

Security is a top concern when choosing an email service, and it’s a top priority for all Microsoft development efforts, products, and services. We’re never done and will always keep improving.  But we believe that Outlook.com is the best email service available, and now Outlook.com offers even more security enhancements that you won’t find anywhere else.

–Krish Vitaldevara, Outlook.com Program Management Team