Skip to main content
日本語 简体中文 繁體中文

Regarding the Use of HENNGE Email DLP for Sending Emails from the Initial Domain (onmicrosoft.com)

Updated

Target

Customers using HENNGE Email DLP with Microsoft 365

Content

Due to recent security enhancements by major email providers, emails that fail SPF verification are highly likely to be treated as spam or rejected. 
To reliably avoid this issue, for emails using the initial domain "<your tenant ID>.onmicrosoft.com" assigned during the first registration in Exchange Online as the sender, please consider implementing the following [Recommended Measures].

① [Recommended Measures] Change to a sending route that does not go through HENNGE Email DLP
The simplest and most reliable measure is to exclude the relevant emails from the route via HENNGE Email DLP in the Microsoft 365 transport rules.

② [Alternative Measures] Publish DKIM / DMARC Records
If it is a mandatory requirement to filter emails from the initial domain through HENNGE Email DLP, there is also a method to publish DKIM and DMARC records as an alternative measure.
 

Background

Sender domain authentication (SPF/DKIM/DMARC) technology(*) is very important as a countermeasure against spoofing emails. 
However, there are the following technical constraints for emails using the initial domain of Microsoft 365 (<your tenant ID>.onmicrosoft.com) as the sender.

・Constraint: Cannot edit SPF records
Since the DNS records of the initial domain "<your tenant ID>.onmicrosoft.com" are managed by Microsoft, customers cannot edit or add SPF records from the Microsoft 365 admin console, etc. 
This SPF record only registers the server IP addresses of Microsoft 365.

・Concern: SPF verification failure when going through HENNGE Email DLP
Under the above constraint, if an email is sent from the initial domain via HENNGE Email DLP, the receiving server will fail SPF verification based on the following judgment flow.

  1. The email sent from your Microsoft 365 is relayed by the HENNGE Email DLP server and delivered to the recipient's mail server.
  2. The receiving server checks the SPF record of the sending domain (<your tenant ID>.onmicrosoft.com) in the DNS.
  3. Since only Microsoft's server IP is registered in the DNS, the server IP address of HENNGE Email DLP that actually delivered the email is judged as "sending from an unauthorized IP address."
  4. As a result, this email fails SPF verification.

What is sender domain authentication?
It is a technology to verify whether the received email was sent by the legitimate sender of the domain displayed as the sender. Emails from domains where sender domain authentication is not properly set may be treated as spam or junk mail and refused by the recipient. 
Sender domain authentication mainly includes SPF / DKIM / DMARC authentication technologies, and when using HENNGE Email DLP, it is mandatory to set these for all custom domains in use.

① [Recommended Measures] Change to a sending route that does not go through HENNGE Email DLP

Configuration Method

The following is a guide intended to specify the initial domain "<your tenant ID>.onmicrosoft.com" as an exception condition in the transport rule settings on the Exchange Online admin console, to directly deliver emails sent from Exchange Online without relaying through HENNGE Email DLP.

  1.  
    1. Open "Rules" from the Exchange Admin Center
      https://admin.exchange.microsoft.com/#/transportrules
    2. Open "Rule for HENNGE Email DLP" (name is arbitrary)
    3. Open "Edit Rule Conditions"
    4. Click the "+" on the first line of "Except if"
    5. Select "Sender" and "Domain is", and add "onmicrosoft.com" in the domain specification on the opened screen.
    6. Select the added "onmicrosoft.com" and click "Save"
    7. Confirm that the following settings have been added and click "Save"

If you have already completed the connection with HENNGE Email DLP using the procedure published on the following site, there is no need to additionally set the above procedure.

[Email DLP] Connection Procedure (Microsoft 365)

 

If it is necessary to route emails sent from the initial domain through HENNGE Email DLP due to your service usage status or operational reasons, please be sure to implement the sender domain authentication described below.

 

① [Alternative Measures] Publish DKIM / DMARC Records

Configuration Method (DKIM/DMARC)

The following is a guide intended to register the DNS records of the initial domain "<your tenant ID>.onmicrosoft.com" from the Microsoft 365 admin console.

  1. Open the Microsoft 365 Admin Center
  2. Open "Domains" from "Settings"
  3. Click "<your tenant ID>.onmicrosoft.com" and open the "DNS Records" tab

Please refer to the following articles on DKIM / DMARC from the "DNS Records" tab above for additional record settings. 
Note that Microsoft recommends using custom domains for regular email delivery and using the initial domain only for testing purposes. 
Please be aware that Microsoft has announced plans to gradually restrict the use of the initial domain.

 Limiting Onmicrosoft Domain Usage for Sending Emails

DKIM

[Email DLP] Tenant Settings - DKIM Configuration
※This is the procedure for issuing DKIM records and enabling them after DNS publication.

 

DMARC

Publish DMARC Record
※This article recommends publishing the minimum necessary DMARC settings (v=DMARC1; p=none) to comply with the guidelines published by Microsoft and Google.

 

If you have any questions, please contact the HENNGE One support desk.