Sometimes people ask me how they should configure Outlook and Office 365 (Exchange Online Protection, or EOP) so they work together in the best way. This is tough for me to recommend because it depends on the local set up.
However, I can talk about how I personally use it. I am both a normal end user through my account at work, @microsoft.com. And, I am end user and administrator through my personal domain, @terryzink.com. I’m the only person on my personal domain although I do have many email accounts on it.
So, here is how I set up my own accounts so they work best for me from an antispam point of view. One is for me as an administrator of my personal domain with a very simple configuration (one user), and one as an end user in a large organization. This guide does not tell an administrator of a large organization how to set things up.
One more thing – your mileage may vary.
1. In your DNS provider (or following your organization’s DNS change-management process), set up the required SPF, DKIM, and DMARC records for your domain
For my personal domain and for Microsoft
- For SPF, you’ll need to follow the official documentation we have but I’ve outlined the best configuration in this blog post:
http://blogs.msdn.com/b/tzink/archive/2015/07/12/what-is-the-best-combination-for-your-spf-record-dkim-record-and-dmarc-record.aspx
If you have a complicated SPF record with lots of IPs sending as you with many nested includes, you may want to consider using a 3rd party service like ValiMail that allows you to publish a wildcard SPF entry, and then you manage your SPF record using their web interface. It’s easier than having to do the 10 DNS-lookup limit math, as well as try to fit everything into 255 characters in a DNS TXT record (or 512 if you concatenate them).
- You should enable DKIM manually by following the instructions in this blog post: http://blogs.msdn.com/b/tzink/archive/2015/10/08/manually-hooking-up-dkim-signing-in-office-365.aspx
- My personal domain terryzink.com has SPF records, DKIM records and DKIM signing enabled, and a DMARC p=reject record published. For microsoft.com, I added Office 365 to its SPF record, created DKIM records and enabled DKIM signing, and published a DMARC record of p=none. To do all of these, I had to go through Microsoft’s DNS change-management process.
- I don’t worry about spoofed messages getting through to either my domain or to Microsoft. For my personal domain, since I have a DMARC reject record, no one can spoof it. For Microsoft, we have an Exchange Transport Rule (ETR) that marks any message that fails DMARC from the domain Microsoft.com as SCL 9 which marks it as spam automatically, I talk about how to do this here:
However, if I didn’t do any SPF, DKIM, or DMARC, I’d still be protected based upon EOP’s special antispoofing solution:
http://blogs.msdn.com/b/tzink/archive/2015/09/10/combating-spoofing.aspx
- I have enabled IPv6 support for receiving inbound email on my personal domain. I have not enabled Microsoft.com for IPv6 but I would expect that we wouldn’t have any difficult since EOP issues 4xx on inbound IPv6 connections if they don’t have a PTR record on the sending IPv6 address, or the message has neither SPF nor DKIM.
2. In the Exchange Admin Center, I turn off all of the Advanced Spam Filtering (ASF) options (your mileage may vary)
For my personal domain
I don’t have any of the Advanced Spam Filtering rules enabled for my personal domain – not SPF Hard Fail, not “Image Links to Remote Sites”, not “Backscatter NDR”, nor anything else. If you are an on-prem customer who uses Office 365 to relay outbound email, I recommend turning on the “Backscatter NDR” setting. I talk more about this here:
The other ASF settings are too aggressive for me, if you’re reading this blog post you may want to enable more.
For Bulk Mail, I use the default level of protection which sends anything with a Bulk Confidence Level (BCL) of 7 or higher to junk.
I set both spam and high confidence spam to be marked with an x-header.
For Microsoft
I can’t divulge Microsoft’s configuration for ASF rules, but we send all spam and high confidence spam to the junk folder.
Some customers enable more ASF rules, but the majority don’t enable any.
3. Turn off Outlook’s Junk Email Filtering
For my personal domain
I don’t use Outlook for personal email because I like pressing Ctrl+U to see the raw source of a message. Instead of Outlook, I use a combination of the Thunderbird email client and pull my messages over POP3 (not IMAP, long story) and sort spam based upon an x-header using inbox rules, and I also check mail on my phone.
The problem with checking mail on my phone and using POP3 is that I download all of my email, spam and non-spam alike. I turned off moving junk mail to my Junk folder in Outlook Web Access, I am debating whether or not to turn it back on or to change the spam action to Modify Subject Line so that when my phone downloads something, I know that it’s spam.
For Microsoft
For my @microsoft.com account, I don’t have much in the way of configurability since I am not the administrator of the domain. However, for the most part it isn’t necessary.
I find Outlook’s junk mail double filtering too aggressive and sends too much good email to Junk, so I turned it off (right-click on a message > Junk > Junk Email settings > first tab, Options).
Under the Safe Senders tab, I uncheck “Also trust e-mail from my Contacts” and “Automatically add people I e-mail to the Safe Senders List.” If I want to add to my Safe Senders List, I right-click on the message > Junk > Never Block Sender.
Outlook still sends my messages to the spam folder. It does this because in EOP, when a message is marked as spam EOP sets the Spam Confidence Level (SCL) MAPI property in Exchange and sets the X-MS-Exchange-Organization-SCL header with the SCL 5, 6, or 9. Outlook knows that if the MAPI SCL property is 5-9, move it to Junk.
However, if my mailbox was hosted on-prem, I’d have to either create a local ETR to interpret the headers of the message that EOP stamps and set the SCL locally, as describe here:
https://technet.microsoft.com/en-us/library/jj837173(v=exchg.150).aspx
Or, you could have the X-MS-Exchange-Organization headers preserved when sending from EOP to your on-premise Exchange server and send the message over TLS.
4. Set up Advanced Threat Protection (ATP)
ATP is available from EOP either as a paid add-on, or you can upgrade to our E5 SKU from Microsoft which bundles a bunch of other services in addition to ATP.
For my personal domain
I have all the default options enabled with Do-not-track-clicks off, Do-not-allow-click-throughs off, and the only “Do not rewrite” URL is Netflix.com for some reason (I was probably testing it). I don’t have anyone enabled for Safe Attachments but I’m the only one in my domain. I don’t notice any degradation of service for my personal email. Almost every email I get is in HTML format so the rewritten links don’t look any different. When I click on any rewritten link, the lookup time is negligible and I never notice any lag.
For Microsoft
Much of Microsoft is on both Safe Links and Safe Attachments. Here, because we get so much plain text email, I do notice that sometimes it is inconvenient for messages to have URLs in plain text wrapped. We are looking into giving administrators the option to not rewrite plain text URLs. I might do that if I were an admin, but the tradeoff is that spammers can just send their messages in plain-text to some end users.
Other than that, I don’t notice anything special about my mailbox, the feature is seamless.
That’s it. That’s basically all I do to get basic mail flow working and configured with the optimal antispam settings (I do have some ETRs that are unique to my domain’s configuration).
Administrators will need to set up connectors, may want to set up ETRs for Criteria Based Routing, IP Allow rules, ETR Allow rules, etc. Microsoft as a company has all that stuff set up, but that’s out of scope of this blog post.
I hope this information helps.