Quantcast
Channel: Terry Zink: Security Talk
Viewing all articles
Browse latest Browse all 243

How I personally use Outlook with Office 365

$
0
0

Sometimes people ask me how they should configure Outlook and Office 365 (Exchange Online Protection, or EOP) so they work together in the best way. This is tough for me to recommend because it depends on the local set up.

However, I can talk about how I personally use it. I am both a normal end user through my account at work, @microsoft.com. And, I am end user and administrator through my personal domain, @terryzink.com. I’m the only person on my personal domain although I do have many email accounts on it.

So, here is how I set up my own accounts so they work best for me from an antispam point of view. One is for me as an administrator of my personal domain with a very simple configuration (one user), and one as an end user in a large organization. This guide does not tell an administrator of a large organization how to set things up.

One more thing - your mileage may vary.

1. In your DNS provider (or following your organization’s DNS change-management process), set up the required SPF, DKIM, and DMARC records for your domain

For my personal domain and for Microsoft

2. In the Exchange Admin Center, I  turn off all of the Advanced Spam Filtering (ASF) options (your mileage may vary)

For my personal domain

I don’t have any of the Advanced Spam Filtering rules enabled for my personal domain – not SPF Hard Fail, not “Image Links to Remote Sites”, not “Backscatter NDR”, nor anything else. If you are an on-prem customer who uses Office 365 to relay outbound email, I recommend turning on the “Backscatter NDR” setting. I talk more about this here:

http://blogs.msdn.com/b/tzink/archive/2015/04/18/office-365-will-slightly-modify-its-treatment-of-anonymous-inbound-email-over-ipv6.aspx

The other ASF settings are too aggressive for me, if you’re reading this blog post you may want to enable more.

For Bulk Mail, I use the default level of protection which sends anything with a Bulk Confidence Level (BCL) of 7 or higher to junk.

image

I set both spam and high confidence spam to be marked with an x-header.

For Microsoft

I can’t divulge Microsoft’s configuration for ASF rules, but we send all spam and high confidence spam to the junk folder.

Some customers enable more ASF rules, but the majority don’t enable any.

3. Turn off Outlook’s Junk Email Filtering

For my personal domain

I don’t use Outlook for personal email because I like pressing Ctrl+U to see the raw source of a message. Instead of Outlook, I use a combination of the Thunderbird email client and pull my messages over POP3 (not IMAP, long story) and sort spam based upon an x-header using inbox rules, and I also check mail on my phone.

The problem with checking mail on my phone and using POP3 is that I download all of my email, spam and non-spam alike. I turned off moving junk mail to my Junk folder in Outlook Web Access, I am debating whether or not to turn it back on or to change the spam action to Modify Subject Line so that when my phone downloads something, I know that it’s spam.

For Microsoft

For my @microsoft.com account, I don’t have much in the way of configurability since I am not the administrator of the domain. However, for the most part it isn’t necessary.

I find Outlook’s junk mail double filtering too aggressive and sends too much good email to Junk, so I turned it off (right-click on a message > Junk > Junk Email settings > first tab, Options).

image

Under the Safe Senders tab, I uncheck “Also trust e-mail from my Contacts” and “Automatically add people I e-mail to the Safe Senders List.” If I want to add to my Safe Senders List, I right-click on the message > Junk > Never Block Sender.

image

Outlook still sends my messages to the spam folder. It does this because in EOP, when a message is marked as spam EOP sets the Spam Confidence Level (SCL) MAPI property in Exchange and sets the X-MS-Exchange-Organization-SCL header with the SCL 5, 6, or 9. Outlook knows that if the MAPI SCL property is 5-9, move it to Junk.

However, if my mailbox was hosted on-prem, I’d have to either create a local ETR to interpret the headers of the message that EOP stamps and set the SCL locally, as describe here:

https://technet.microsoft.com/en-us/library/jj837173(v=exchg.150).aspx

Or, you could have the X-MS-Exchange-Organization headers preserved when sending from EOP to your on-premise Exchange server and send the message over TLS.


4. Set up Advanced Threat Protection (ATP)

ATP is available from EOP either as a paid add-on, or you can upgrade to our E5 SKU from Microsoft which bundles a bunch of other services in addition to ATP.

For my personal domain

I have all the default options enabled with Do-not-track-clicks off, Do-not-allow-click-throughs off, and the only “Do not rewrite” URL is Netflix.com for some reason (I was probably testing it). I don’t have anyone enabled for Safe Attachments but I’m the only one in my domain. I don’t notice any degradation of service for my personal email. Almost every email I get is in HTML format so the rewritten links don’t look any different. When I click on any rewritten link, the lookup time is negligible and I never notice any lag.

For Microsoft

Much of Microsoft is on both Safe Links and Safe Attachments. Here, because we get so much plain text email, I do notice that sometimes it is inconvenient for messages to have URLs in plain text wrapped. We are looking into giving administrators the option to not rewrite plain text URLs. I might do that if I were an admin, but the tradeoff is that spammers can just send their messages in plain-text to some end users.

Other than that, I don’t notice anything special about my mailbox, the feature is seamless.


That’s it. That’s basically all I do to get basic mail flow working and configured with the optimal antispam settings (I do have some ETRs that are unique to my domain’s configuration).

Administrators will need to set up connectors, may want to set up ETRs for Criteria Based Routing, IP Allow rules, ETR Allow rules, etc. Microsoft as a company has all that stuff set up, but that’s out of scope of this blog post.

I hope this information helps.


Viewing all articles
Browse latest Browse all 243

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>