Summary
-
Who this impacts: Customers that send to recipients who use Microsoft Office 365/Exchange and don’t have their Click account configured for Custom DKIM.
-
What has changed: Microsoft is checking emails for Implicit Authentication which means they want email authentication to be in place and aligned the same way that is required for DMARC but for senders without DMARC in place.
-
When did this change happen: Microsoft did not publish the date the change was implemented but sometime in Q1 2020.
-
What do impacted Senders need to do: Set up Custom DKIM in Click so that authentication is aligned.
-
What happens if Implicit Authentication isn’t in place: Emails will be delivered to the Junk folder.
-
What Microsoft email clients are in scope: Microsoft Outlook for Office 365/Exchange
-
What Microsoft email clients are out of scope: Hotmail, Outlook.com, MSN, Live.com
Implicit Authentication Requirements
Early in 2020 Microsoft made changes to how their spam filter works for Outlook on Exchange and Office 365. This will impact mostly B2B senders as most of their recipients will use this version of Outlook.
On top of the normal authentication and IP checks, now Microsoft also wants emails to use SPF and DKIM authentications and have them aligned similar to how DMARC requires alignment. All Click emails are signed with DKIM but the default set up uses a *.clickdimensions.com domain. Microsoft would now like to see the domain in the Display From address (RFC 5322) match either the Mail From domain (RFC 5321) or the DKIM domain AND have those items pass the respective authentication checks.
If a sender uses DMARC and already has their Click account configured for DMARC, these authentications and alignment will already be in place.
For B2B senders that don’t have their account configured for DMARC or Custom DKIM, they are encouraged to open a ticket with Support to request this change.
Diagnosing Microsoft Implicit Authentication Issues
One way to diagnose this issue is to look at the email headers. Within the email headers for an Outlook email, there is a section that summarizes the email authentication and results.
Here is an example of an email that failed Implicit Authentication:
authentication-results: spf=pass (sender IP is 63.143.57.146) smtp.mailfrom=email.clickdimensions.com;
dkim=pass (signature was verified) header.d=email.clickdimensions.com;
dmarc=none action=none header.from=company.com;compauth=fail reason=601
OR
authentication-results: spf=pass (sender IP is 63.143.57.146) smtp.mailfrom=email.clickdimensions.com;
dkim=pass (signature was verified) header.d=email.clickdimensions.com;
dmarc=none action=none header.from=company.com;compauth=fail reason=001
Here is an example of an email that passes Implicit Authentication:
authentication-results: spf=pass (sender IP is 63.143.57.146) smtp.mailfrom=email.clickdimensions.com;
dkim=pass (signature was verified) header.d=e.company.com;
dmarc=none action=none header.from=company.com;compauth=pass reason=109
Microsoft Documentation
Microsoft Compauth Codes
Email authentication in Microsoft 365
Anti-spam message headers