What Gmail's changes in their web interface means to you as a customer of Office 365

A few weeks ago, Gmail made several changes to better reflect the security status of messages sending to its service. I am a user of Gmail and I appreciate what they are doing. If you're a customer of Office 365, what does this mean for you?

  1. If you send email to Gmail and you don't have SPF records nor sign with DKIM, Gmail puts a large gray question mark next to the sender, for example:
    . unauthenticated_sender .
    This is part of Google's emerging No Auth, No Entry story. They are not denying entry, but they are degrading the experience to indicate that the sender is unknown. The sender is not necessarily spamming, but you as a user should be cautious. As an Office 365 customer, you are in control of your own DNS records and therefore responsible for setting up SPF records correctly.
    Setting up SPF records in Office 365
    . However, make sure you watch out for some common errors, you may think you are publishing the correct SPF record but you may hit a common trap. If so, Gmail may not recognize it and you'll get a gray question mark.Common errors in SPF records
    . For DKIM, Office 365 will automatically provision your DKIM signing for you and sign with the default settings, so you should never see that gray question mark in Gmail (unless you route your email through another server before sending to the Internet, and that server breaks our DKIM signature). Gmail requires that DKIM keys be at least 1024 bits; don't worry, we know that and take care of that for you.

    For the best experience sending to Gmail [1] for how a message will render (see #2 below), you'll want to enable DKIM with custom signatures (DKIM selectors) in Office 365. This requires publishing two records in your DNS zone for your domain.

  2. If you send to Gmail but your From: address's domain does not align with either the domain in the DKIM d= signature or domain that passes SPF, Gmail puts a 'via' in the From: address. Gmail also has a hierarchy of which one it prefers - if it is signed by DKIM, they show the d= signing domain. If it doesn't exist, they show the SPF-validated domain. If neither pass, they show the gray question mark per above.This means that if you have SPF set up in Exchange Online Protection (EOP) with the default DKIM settings enabled for your domain, Gmail will show the 'via' tag in the UX:
    sender_with_via. If you don't want that to show up in Gmail, you should manually enable DKIM in Office 365, as per above. When you do, your message will look like the following:
    . sender_without_via .

  3. A couple months ago, Google announced that messages that weren't sent over TLS would receive a red lock in the UX, and this past week they announced that they saw a 25% reduction in email not sent over TLS. Here's what a message would look like:
    . unauthenticated_sender_without_TLS . Office 365 sends over opportunistic TLS by default, so any outbound message sent from EOP to Gmail will not see that red icon.


Those are the big things to be aware of when sending email to Gmail out of Office 365.

Hope this helps.

[1] While Gmail strongly pushes DKIM for delivery, EOP also uses it for tracking our outbound reputation so we can stay off of others' IP reputation lists. EOP also requires SPF or DKIM when receiving email over IPv6, so automatically enabling your domains for DKIM means that you can send to any of our IPv6-enabled customers even if you have misconfigured SPF and haven't set up DKIM. Other receivers around the Internet similarly require SPF or DKIM when receiving email over IPv6.