I’ve noticed some admins believe that EOP will need zero to none configurations and everything will preconfigured. EOP will work fine with default settings but it will require some admin effort after all.So, here’s a short blog post coming.

Top 3 misconceptions:

  1. EOP has DKIM signing by default - Yes, but not for vanity domains. Default DKIM signing is enabled only on onmicrosoft.com domain.
  2. EOP will respect DMARC policy - Yes, but not literaly. EOP will deliver message that is violating policy (reject mode) to quarantine and mark it as spoof. If you want more rigid solution transport rule must be used.
  3. ATP scoping by using onmicrosoft.com domain - even tough every recipient has onmicrosoft.com domain (in proxyAddresses) EOP rule will be checking target header (“To”, “Cc”, “BCC”) of the message to apply it. So, you better update your recipient policy rule scope and include all domains if you have everyone covered (or to a group if subset of users is covered) by ATP.

Did you know that you can now setup DMARC policy for onmicrosoft.com domain?

That’s it for today.