Update – Feature Update: Secure by Default

MC208307, Plan For Change, Published date: Apr 1, 2020


Major Update: Announcement
Applies To: All
Updated April 15, 2020: We are updating the roll-out timeline to ensure the proper experience.

We’re implementing another phase in Secure by Default, which will affect any domains which fail authentication although they are implicitly allowed in your anti-spam policy.

  • We’ll be gradually rolling this outin mid-May (previously April).

This message is associated with Microsoft 365 Roadmap ID 62398.How does this affect me?

Users will see that messages from domains that fail authentication, but that had been allowed by tenant rules, have been marked as junk.

Users will see that messages from allowed domains that fail authentication will be marked as junk. Domains that fail authentication should already be marked as junk. This change expands your protection to include allowed domains as well. The service will honor the allowed domains you have configured, but it will honor only the messages that are truly coming from those domains.What do I need to do to prepare for this change?

You will need to review your Spoof Intelligence Insight and Policy to ensure that you are implicitly allowing domain that fail authentication to resolve this; otherwise, messages that are allowed that fail authentication will be marked as junk. Learn about spoof intelligence and how to configure your policies.