TLS is a core feature for encrypting and securing messages over SMTP, and it affords protection against message interception and attacks. However, downgrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in clear text. Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker’s server. We’ve been working on ways to improve these limitations and risks.
SMTP MTA Strict Transport Security (MTA-STS)
MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies that specify whether the receiving domain supports TLS and what to do when TLS can’t be negotiated, for example stop the transmission. Exchange Online (EXO) outbound mail flow now supports MTA-STS. More information about EXO support for MTA-STS will be published later this year.
DANE / DNSSEC
DANE for SMTP (DNS-based Authentication of Named Entities) and DNSSEC (Domain Name System Security Extensions) further help shore up messaging security. DANE uses the presence of DNS TLSA resource records to securely signal TLS support to ensure sending servers can successfully authenticate legitimate receiving email servers. This makes the secure connection resistant to downgrade and MITM attacks. DNSSEC works by digitally signing records for DNS lookup using public key cryptography. This ensures that the received DNS records have not been tampered with and are authentic. For more information see Support of DANE and DNSSEC in Office 365 Exchange Online.
TLS 1.0 & 1.1 Deprecation
While we’ve been saying it for, oh... years now, truly the end is nigh! We took this opportunity at Ignite 2020 to again remind everyone to stop using TLS 1.0/1.1 by Oct 15, 2020. For more information see TLS 1.0 and 1.1 deprecation for Office 365.
Basic Auth Still Supported for SMTP AUTH Client Submission
Both TLS 1.0/1.1 and Basic Auth are often used for SMTP AUTH. The deprecation of TLS 1.0/1.1 will break message submission for SMTP AUTH clients that continue to use it. However, while overall support for Basic Auth in EXO will soon be retired, it will still be supported for SMTP AUTH Client Submission. See our latest blog post for more information.
The Transport team has been working on a variety of improvements for mail flow management and optics to better help email admins control, and gain greater visibility into, their organization’s cloud-based mail flow.
Mail Flow Management in the Modern Exchange Admin Center
The modern Exchange admin center was announced last year and is now available for all customers to opt-in. For the last several years mail flow management assets have appeared in separate admin centers, some in the Exchange admin center, and others (like Insights and Message Trace) in the Security and Compliance Center. We’re now moving all mail flow assets into a single admin center, the modern Exchange admin center. Some existing insights are now available in the modern Exchange admin center, while others will be migrated over by the time the modern Exchange admin center becomes the default EAC experience in Q1 of 2021. Read more of our admin news here.
New Mail Flow Insights and Notifications
Mail Flow Insights and Notifications provide timely awareness and mitigation actions for a variety of common mail flow issues or anomalies. Existing insights, like those for mail loops and users forwarding emails, have migrated, or will soon migrate, from the Security and Compliance Center to the modern Exchange admin center. Additional insights and notifications we expect to make available later this year include those for flagging when domains and TLS certificates are about to expire or have already expired.
New Mail Flow Configuration Settings
With the move from on-premises Exchange to Exchange Online, email admins sometimes discover they have a reduced set of controls and settings in the cloud. One of the customer focus areas for the EXO Transport team is to provide admins greater control and customization of their organization’s mail flow settings.
Customizable Message Expiration Timeout Interval
One common request from EXO admins is to give them the ability to customize their organization’s message expiration timeout interval, much like they had in Exchange on-premises. When a message can’t be delivered immediately due to a transient 400 level error, we’ll queue it up and retry periodically until either the message is finally sent or expires 24 hours later. For some time-critical email this can be too long to find out a message wasn’t delivered. So we’re introducing the ability for email admins to customize the message expiration timeout interval to less than 24 hours. We expect this to be available by the end of 2020.
Updates to Reply-All Storm Protection
Earlier this year we released the first iteration of Reply-All Storm Protection to help thwart the excessive impact that reply-all storms can have on your organization. The global service thresholds for reply-all storm detection is 10 replies to more than 5000 recipients on a single conversation over one hour. This update will give admins the ability to customize the various thresholds and the reply block duration for their organization. Additionally, we expect to provide an insight and report in the modern Exchange admin center for detected reply-all storms and information about the blocked replies.
While Transport is mostly about mail flow plumbing, we’re now able to exploit the power of the cloud to enhance email end-user experiences as well.
Support for Plus Addresses
Plus addressing allows you to add a “+something” suffix to the local part of your email address and have senders use that instead of your standard address. You can then create an inbox rule to route messages sent to that address into a specific folder, or do ad hoc or programmatic searches for them based on the unique TO plus address.
We announced support for Plus Addresses at last year’s Ignite, and now we’re pleased to report that it’s rolling out and should be available to all EXO customers by the end of September 2020. For more information, see the Support for Plus Addressing in Exchange Online section of our Ignite 2019 blog post.
We have a blog post explaining the feature in the works, but if you can't wait to try it, watch the video, and then just enable it in your tenant. How do you do that? One simple line of PowerShell.
Have you ever created an inbox rule to move incoming messages sent to a Distribution List (DL) you’re on to a specific folder? But then you discover that some senders will add the DL to the BCC line so the rule (for privacy reasons) is ignored and the message lands in your Inbox instead? Ugh! Yep, some of our Transport devs had that happen to them too – and they decided to do something about it. They added the ability to configure a DL or group to reject (NDR) messages when the DL is on the BCC line. It’s been a big hit within Microsoft, and now we’re making it available to Exchange Online customers! We plan to expose this setting to email admins (for DLs) and group owners (for Microsoft 365 Groups) by Q1 2021.
Exchange Online Message Recall
At last year’s Ignite we announced a cloud-based Message Recall feature to improve the success rate of recalls and to provide an easy-to-consume recall status report. We now expect to make it available to all EXO customers by the end of 2020. You can find more information about the feature in the Message Recall in Exchange Online section of the Exchange Transport News from Microsoft Ignite 2019 blog post.
With our continued customer focus on features and updates to better secure, manage, and improve email end-user experiences in EXO, we hope you’ll find these updates useful for both your organization’s email admins and end-users alike. Let us know what you think!