nlinecomputers
Well-Known Member
- Reaction score
- 8,530
- Location
- Midland TX
Microsoft is killing custom domain names in Outlook.com | BigTechWire
www.bigtechwire.com
Microsoft is killing domain names emails in outlook.com
- Thread starter nlinecomputers
- Start date
www.bigtechwire.com
Blues
Well-Known Member
- Reaction score
- 450
- Location
- Tennessee, US
The real question is why? I am not sure it is really a bad idea but I am curious to know what reasoning they put on it.
nlinecomputers
Well-Known Member
- Reaction score
- 8,530
- Location
- Midland TX
$$$
Obviously so they can push you into the business plans that will offer full email support.
Sky-Knight
Well-Known Member
- Reaction score
- 5,164
- Location
- Arizona
DKIM, DMARC, and SPF are hard...
Custom domain support requires SUPPORT, which isn't in the plans. Worse, the feature is largely abused by small businesses to avoid paying for an actual business M365 plan, which is a violation of the EULA and TOS.
Finally... this isn't the first time they've "killed" this feature. So I'm not sure it'll even stay gone, or even go away.
The other feature this lived and died on was Exchange's POP/IMAP collection feature, which is also dead due to security problems. And I'm not saying the feature is a problem, I'm saying POP/IMAP are incapable of being securely used.
Custom domain support requires SUPPORT, which isn't in the plans. Worse, the feature is largely abused by small businesses to avoid paying for an actual business M365 plan, which is a violation of the EULA and TOS.
Finally... this isn't the first time they've "killed" this feature. So I'm not sure it'll even stay gone, or even go away.
The other feature this lived and died on was Exchange's POP/IMAP collection feature, which is also dead due to security problems. And I'm not saying the feature is a problem, I'm saying POP/IMAP are incapable of being securely used.
nlinecomputers
Well-Known Member
- Reaction score
- 8,530
- Location
- Midland TX
Never used the service but as I understood it M$ controlled it all via godaddy. You had to buy the domain from Microsoft so they automagically setup all that.
This is the real reason. And while existing domains are grandfathered in if they do find your running a business on it you can get punted. Microsoft is very lax on enforcing this sort of thing but I suspect that for this particular issue they are going to be hardline about it.
Sky-Knight
Well-Known Member
- Reaction score
- 5,164
- Location
- Arizona
@nlinecomputers All M365 does automatically is SPF, and this makes many assumptions that aren't always correct.
So another angle here is abuse negatively impacting M365 servers as they randomly pop up on the black lists. It wouldn't shock me to find these custom domains behind this. We cannot filter spam from Microsoft or Google systems effectively, so if they have bad actors involved in these free accounts spoofing crap...
Well let's just say I wouldn't be shocked to discover Outlook.com custom domains were behind a good portion of the spear phishing we're seeing. There are MANY reasons this feature is dying.
What upsets me is Microsoft not simply dropping the anchor on it all, but putting a final date on something like this tends to be technically hard. So instead they'll soft gate it, and let time sort it out.
So another angle here is abuse negatively impacting M365 servers as they randomly pop up on the black lists. It wouldn't shock me to find these custom domains behind this. We cannot filter spam from Microsoft or Google systems effectively, so if they have bad actors involved in these free accounts spoofing crap...
Well let's just say I wouldn't be shocked to discover Outlook.com custom domains were behind a good portion of the spear phishing we're seeing. There are MANY reasons this feature is dying.
What upsets me is Microsoft not simply dropping the anchor on it all, but putting a final date on something like this tends to be technically hard. So instead they'll soft gate it, and let time sort it out.
nlinecomputers
Well-Known Member
- Reaction score
- 8,530
- Location
- Midland TX
For the intended target of the vanity domain that’s all you really need. Let’s face it. If you bother to get your own domain name you are almost certainly conducting business with it and legally should not be on that SKU.
Sky-Knight
Well-Known Member
- Reaction score
- 5,164
- Location
- Arizona
SPF isn't enough though, without DKIM and DMARC to tell the world yes... this is an authorized sender... and yes this mail has the correct signature... and if it doesn't throw it out the fraud mails go right through it.
So you need a vanity mailbox that looks similar, and a mail exchanger somewhere set to abuse someone with only an SPF record and POOF you're off!
You can do this trivially sending via Outlook.com because SPF is valid for your domain for EVERY SINGLE M365 ADDRESS ON THE PLANET! The world has no way of knowing the mail came from the wrong tenant without DKIM.
So Outlook.com users can spoof any M365 account they want, and pass an SPF check. Godaddy mail / shared webhosting has the same problem... gmail and gsuite have the same problem.
Vanity Domain users can spend $50 a year for Exchange Online Plan 1 via M365 or do something similar via GSuite. It makes things much cleaner, gives each provider tenants they can isolate and cut off for abuse, and removes a bucket of junk from all our lives. Heck that is a service anyone here can learn and sell too! So this cutoff is an opportunity for everyone here in a way.
nlinecomputers
Well-Known Member
- Reaction score
- 8,530
- Location
- Midland TX
Even with DKIM, I can still spoof you with misspelled domain names. All spf, etc does is make sure the email comes from the domain as advertised.
Sky-Knight
Well-Known Member
- Reaction score
- 5,164
- Location
- Arizona
Correct, but with SPF only I can spoof with your actual domain name! I just need to send via a trusted source, and play with mail headers.
britechguy
Well-Known Member
- Reaction score
- 4,062
- Location
- Staunton, VA
The long and the short of it is: Do not trust email as a primary and single source for ANY REASON if anything of significance is involved.
Learn the signs of problems, but even if something looks perfect, verify. Phone calls are just so simple to do when big bucks or private information of any sort is involved.
Learn the signs of problems, but even if something looks perfect, verify. Phone calls are just so simple to do when big bucks or private information of any sort is involved.
Sky-Knight
Well-Known Member
- Reaction score
- 5,164
- Location
- Arizona
That's actually not quite true... though generally true.
If a domain has properly configured SPF, and DKIM. You can at least be certain it came from a valid source. That is, the mail was sent by a valid listed server, and signed with the appropriate certificate to be from the authorized mail service in question.
The problem is you still have no clue if that mail came from the actual person that should own said mailbox. And that goes back into one of the many authentication conversations we've had over the years here. This is one of the primary reasons why I fight for MFA on ALL mailboxes. Because MFA on the mailbox removes 99.9% of the impersonations of that mailbox, and if I back that up with SPF and DKIM on a service like M365 I've built a very solid trust chain that carries the mail from source to destination in a way that's more reliable than the US Post.
And all of that matters... and yet it doesn't because it can be undone by a user pressing "approve" on a window on their phone.
So now we're back to doing what you suggested. Anytime money is going to move based on any form of communication, everyone should use another form of communication to work with the human on the other end to confirm. It doesn't matter if it's email, sms message, or even a phone call! Deep fake technology is huge! Any single point of contact is to be assumed to be fraud or scam until you can verify it. It's exhausting, but it's the only way to fully protect yourself in a world where the criminals are smarter than the users.
Similar threads
