Forum Discussion
Firebase authentication emails are blocked by Office 365
I have a brand new app, that is also using Firebase and I am experiencing exactly the same issue. The Firebase Authentication service has pre-configured templates that it sends for user email verification and similar interactions. The Authentication product sends these communications by default from Firebase's own email service.
This issue will affect any developer who uses Firebase (of which there are many) and uses Firebase authentication. Seems like this is a new issue though as these emails were all still working at the beginning of Feb.
Given that this is a universal problem experienced by many users of the Firebase Service, how can this be addressed at a large scale, rather than everybody trying to address this individually?
The problem is that these auth emails somehow get tagged as spam in ONE Microsoft customer, and then protection.outlook.com blocks them for all.
I'm starting to think a lawsuit may be the way to go
- Just want to thank FcoManigrasso here too, he's been very helpful in finding out what the problem is! Post your donation link here, FcoManigrasso!
Basically, for existing customers we have to tell their IT departments to whitelist our sender. We'll add a notice to the login page about this. This is also the Microsoft way of doing it, according to this link: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/services-for-non-customers?view=o365-worldwide
In short, customers must whitelist our senders or open a ticket with Microsoft support about it.
The only thing not solveable by this approach is the case of new companies. This adds a LOT of friction to the signup process. Basically it is blocking it altogether. Unfortunatley there's no much more I can do here.
I searched around and found other forums with similar issues:
Firebase Auth: How to connect a custom domain for email templates | by Azmi Rutkay Biyik | Medium
Firebase confirmation email : Firebase (reddit.com)
On the last test message received by arnotixe I see all quite good, only a problem with the returnpath and that SCL score, ( 5 ).
The sender was "robot & domainname.no" and the returnpath was "
bounces-201492346-robot=domainname.no & mailer.domainname.no" EOP is very strict with spammers, so they pay a lot of attention at the returnpath and reputation of the senders servers.
Mark messages as safe ones will help for a single O365 organization, but that doesn't mean that the same messages will go thorugh the other ones. ( And if the messages are considered High confidence SPAM/Phish, that will not help ). In the case of arnotixe I think he's quite close to a solution, as all the other headers and scans are clean. In your case, StefDevs I don't know without analyze a message header, but I'm quite sure that the issue will be the same, ( server/IP reputation, domainname, returnpath... ).
My suggestion will be to refer to the Firebase community and the fixes mentioned there.
Microsoft Defender/EOP adapts the detection engine as per admins feedbacks, but if something seems suspicious, the security of the O365 customers environments will always be the priority, and only tenants admins will be able to "adapt" it to each own environment.
Sorry that I have not better news...
