Microsoft is taking more proactive steps to ensure email security by rolling out a new feature for Office 365 called Unverified Sender.  It allows users to keep their Outlook inbox safer and reduce fraudulent mail by flagging email that are not DMARC compliant .  If you send email to Outlook.com users or Office 365 users, this could severely impact your email deliverability!

How Does the Unverified Sender Feature Work?

According to their official Microsoft Roadmap, the Unverified Sender feature is described as follows:

“Unverified sender is a new Office 365 feature that helps end users identify suspicious messages in their inbox. In order to help customers identify suspicious messages in their inbox, we’ve added an indicator that demonstrates Office 365 spoof intelligence was unable to verify the sender.”

The Unverified Sender feature checks if the sender of an email can be verified. If its origin is found and identified as harmful/fraudulent, this feature works by providing Outlook users with a distinct visual indicator. 

When an Unverified Sender is detected, Outlook customers will see a “?” next to a message you sent to their Office 365 inbox, which means it is considered unverified. 

For example:

Once Unverified Sender is enabled by the user, the warning indicator will alert Office 365 customers about the potential risk that the email poses, especially phishing attacks or sender spoofing attempts. 

What Criteria Is Used?

To be Verified, your email must pass either SPF or DKIM authentication and also achieve DMARC compliance. When Outlook can’t verify if the identity of the sender is DMARC compliant, the “?” indicator is displayed in the sender photo field, as shown in the above visual. With this update from Microsoft, DMARC should now be at the top of your priority list if you haven’t adopted it yet.

How Does the Feature Affect My Business?

If your business sends email to Office 365 and Outlook users (which most businesses do today), it’s critical to avoid being marked as an unverified sender.  Adopting DMARC and getting all your legitimate senders to DMARC compliance is now a business necessity. Without DMARC, you run the risk of having Microsoft’s new Unverified Sender feature label your outbound messages as suspicious threats customers, vendors and partners, impacting your email deliverability and potentially your business.

MxToolbox is here to guide your company through the DMARC process and help optimize your email deliverability.  We offer several solutions to help you get your email DMARC compliant and monitor the on-going DMARC compliance of your email:

• Delivery Center is our base package that allows you to monitor the SPF, DKIM and DMARC compliance of your email while giving you insight into emerging email threats.
• Delivery Center Plus gives you all the great reporting of Delivery Center combined with deeper reporting on Phishing and Fraud using your domain.
• Delivery Center Managed Services gives you access to our Email Experts who manage your DMARC compliance and free you to focus on your business.

 

A few months ago, our friends over at BEMO cybersecurity paid us a huge compliment  by blogging on two of our favorite topics, MxToolbox and implementing DMARC.  Their blog, MxToolbox: How to Enable SPF, DMARC, and DKIM, is a great guide for setting up SPF, DKIM and DMARC in a single outbound email sender Office 365 configuration.  If you’re getting started with SPF, DKIM and DMARC, this is a great guide to using our free tools and improving your Office 365 configuration for better email delivery.  

Since not all outbound email configurations are the same, our delivery experts had a few thoughts to add…

Do you have Multiple Outbound Senders?

Most companies send corporate email from a centralized set of servers.  Office 365 and Gmail do this for many companies, but you could also have an internal email setup like MS Exchange.  However, many companies also employ one or many 3rd party email senders.  For example:

• Marketing Automation (Marketo, Eloqua, Hubspot, etc.)
• Email Campaign Tools (MailChimps, Constant Contact, etc.)
• Customer Relationship Managers (Salesforce, Zoho, Microsoft Dynamics, etc.)
• Support Ticketing Systems (LiveAgent, ZenDesk, etc.)
• Order Management and Fulfillment

You will want these services to send email “from” your domain, so they need to be included in your SPF, DKIM and DMARC configurations.  This will mean additional IP address ranges in your SPF record, additional DKIM keys setup and monitoring DMARC compliance for all your outbound email senders.

Do you send email from Multiple Domains?

Whether your company has acquisitions or other brands you wish to send email from, you may operate and email from multiple domains.  For this type of configuration, you’ll need to configure SPF, DKIM and DMARC for each domain you send from.  Similarly, MxToolbox Experts are finding that it has become more common to send email from a dedicated subdomain, like email.yourdomain.com.  This also requires careful thought and may need additional SPF, DKIM and DMARC configuration.

Everyone should be looking at DMARC Reports

When you configure DMARC records there are two important tags that you can use to elicit feedback on your sent email from inbox providers – RUA and RUF.

RUA – List the email addresses you would like to receive SPF, DKIM and DMARC compliance information from inbox providers.

RUF – List the email addressed you would like to receive Forensic data on failed email from your domain.

These RUA and RUF reports are sent in XML format by each individual inbox provider.  The information sent is highly valuable to protecting and improving your email deliverability.  However, to gain insight from them, you need some way to aggregate these reports across all these inbox providers.

Go slowly on your road to Quarantine or Reject Policies

If you have a single sender setup, then you can go straight to Quarantine or Reject policies on DMARC without concern for a portion of your email being unfairly rejected.  Most companies, though, have multiple outbound email senders.  Before you commit to Quarantine or Reject, you need to ensure that all of your legitimate outbound email senders are sending SPF, DKIM and DMARC compliant email.  If not, email from these sources may miss the inbox.  It takes some time and effort to:

1. Examine DMARC reports
2. Uncover non-compliant senders
3. Update each non-compliant configuration
4. Evaluate the changes you made

Once you are confident that your legitimate email is getting through, the DMARC record enables you to set a percentage of your email to the Quarantine policy.  Starting with a small fraction, like 10%, gives you the opportunity to detect any email that might go missing from customers’ inboxes.  MxToolbox recommends a slow, iterative approach through Quarantine to Reject policies.  Once you are at 100% Reject, MxToolbox recommends continual evaluation of your senders DMARC compliance.

Leverage MxToolbox SPF and DMARC record generators

As part of our suite of free tools, MxToolbox provides an SPF Record Generator and DMARC Record Generator tool.  Use these to help you get the syntax of your DNS records correct, then use our check tools to that your DNS entries are properly detectable by the outside world.