On 16 Jun 2019, at 14:33, Stefan Bauer wrote:
Bill,
yes thats the question. i would consider the two factors as reliable.
MS is
signing mails. i just like clear user authentication instead of rely
on
volatile ips/blocks, microsoft publishes/changes.
what i need to check is also, whether MS allows spoofing of sender
address.
I believe that they do not, so that if you get mail from an O365
outbound machine (which should be identifiable by SPF) in a domain which
they believe to be part of the O365 forest, the full envelope sender
address is trustworthy and, if the DKIM signature verifies, so is the
From header address.
These of course would only be as trustworthy as O365 user authentication
in general but that's reasonably good.
i need to make sure, no user can use our service, just by sending
through
any ms account with a correctly guessed allowed sender address.
I'm not currently managing any O365 domains but to the best of my
recollection (which is from 2 years ago and is no better than that of
other humans of my advancing age) they claim to not allow any form of
unauthorized user impersonation. In other words, one can delegate
account access to another user but one cannot simply send mail as
whatever user one likes.
This is a question that MS would surely answer clearly and directly if
asked by a paying customer, yes? I expect that if you found the right MS
mail admin in a place where they communicate with the outside community,
you might get an answer for free even if you were not a paying customer.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
