MicrosoftDocs
diff --git a/‎defender-for-cloud-apps/troubleshooting-proxy-end-users.md‎
Lines changed: 8 additions & 0 deletions b/‎defender-for-cloud-apps/troubleshooting-proxy-end-users.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎defender-office-365/email-authentication-dkim-configure.md‎
Lines changed: 17 additions & 16 deletions b/‎defender-office-365/email-authentication-dkim-configure.md‎
Lines changed: 17 additions & 16 deletions
diff --git a/‎defender-office-365/media/outbound-spam-mail-flow-rule-detect-block-forwarded.png‎
19.4 KB b/‎defender-office-365/media/outbound-spam-mail-flow-rule-detect-block-forwarded.png‎
19.4 KB
diff --git a/‎defender-office-365/media/outbound-spam-protection-settings.png‎
36.8 KB b/‎defender-office-365/media/outbound-spam-protection-settings.png‎
36.8 KB
diff --git a/‎defender-office-365/media/outbound-spam-remote-domains-auto-forwarding.png‎
27.2 KB b/‎defender-office-365/media/outbound-spam-remote-domains-auto-forwarding.png‎
27.2 KB
diff --git a/‎defender-office-365/outbound-spam-policies-external-email-forwarding.md‎
Lines changed: 9 additions & 2 deletions b/‎defender-office-365/outbound-spam-policies-external-email-forwarding.md‎
Lines changed: 9 additions & 2 deletions
@@ -217,6 +217,14 @@ This message only appears for Chrome users, as Microsoft Edge users benefit from
 
 If you receive a message like this, contact Microsoft’s support to address it with the relevant browser vendor.
 
+## Users encounter Entra ID Login after clicking mcas.ms links
+Attackers can craft URLs that appear to lead to trusted domains but actually redirect users to malicious sites. For users protected by the session/suffix-based solution, an attacker might attempt to bypass controls by appending the mcas.ms suffix to a malicious URL, exploiting the assumption that such URLs are safe.
+
+To mitigate this, Microsoft Defender for Cloud Apps redirects any mcas.ms URL lacking valid session context to Entra ID for authentication, effectively blocking such exploits.
+
+However, legitimate mcas.ms URLs without context can exist, for example, if a user clicks on an old browser bookmark. In such cases, the user will first be redirected to Entra ID. If their identity provider (IdP) is not Entra ID, they will need to manually remove the mcas.ms suffix to proceed.
+
+
 ## More considerations for troubleshooting apps
 
 When troubleshooting apps, there are some more things to consider:
 
@@ -5,7 +5,7 @@ f1.keywords:
 author: chrisda
 ms.author: chrisda
 manager: bagol
-ms.date: 06/19/2025
+ms.date: 10/06/2025
 audience: ITPro
 ms.topic: how-to
 
@@ -51,15 +51,15 @@ Important facts about DKIM:
 
 Before we get started, here's what you need to know about DKIM in Microsoft 365 based on your email domain:
 
-- **If you use only the Microsoft Online Email Routing Address (MOERA) domain for email (for example, contoso.onmicrosoft.com)**: You don't need to do anything. Microsoft automatically creates a 2048-bit public-private key pair from your initial \*.onmicrosoft.com domain. Outbound messages are automatically DKIM signed using the private key. The public key is published in a DNS record so destination email systems can verify the DKIM signature of messages.
+- **If you use only the Microsoft Online Email Routing Address (MOERA) domain for email (for example, contoso.onmicrosoft.com)**: You don't need to do anything. Outbound messages from senders in the contoso.onmicrosoft.com domain are automatically DKIM signed by the contoso.onmicrosoft.com domain.
 
   But, you can also manually configure DKIM signing using the \*.onmicrosoft.com domain. For instructions, see the [Use the Defender portal to customize DKIM signing of outbound messages using the \*.onmicrosoft.com domain](#use-the-defender-portal-to-customize-dkim-signing-of-outbound-messages-using-the-onmicrosoftcom-domain) section later in this article.
 
-  To verify the fact that outbound messages are automatically DKIM signed, see the [Verify DKIM signing of outbound mail from Microsoft 365](#verify-dkim-signing-of-outbound-mail-from-microsoft-365) section later in this article.
+  To verify outbound messages from senders in the initial \*.onmicrosoft.com domain are DKIM signed, see the [Verify DKIM signing of outbound mail from Microsoft 365](#verify-dkim-signing-of-outbound-mail-from-microsoft-365) section later in this article.
 
   For more information about \*.onmicrosoft.com domains, see [Why do I have an "onmicrosoft.com" domain?](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain).
 
-- **If you use one or more custom domains for email (for example, contoso.com)**: Even though the MOERA domain signs all outbound mail from Microsoft 365, you still have more work to do for maximum email protection:
+- **If you use one or more custom domains for email (for example, contoso.com)**: Currently, no DKIM signing occurs for outbound mail from custom domains, so you need to do the following steps for maximum email protection:
   - **Configure DKIM signing using custom domains or subdomains**: A message needs to be DKIM signed by the domain in the From address. We also recommend configuring DMARC, and DKIM passes DMARC validation only if the domain that DKIM signed the message and the domain in the From address align.
 
   - **Subdomain considerations**:
@@ -157,8 +157,6 @@ You need to create two CNAME records in DNS in each custom domain, for a total o
 ### Use the Defender portal to enable DKIM signing of outbound messages using a custom domain
 
 > [!TIP]
-> Enabling DKIM signing of outbound messages using a custom domain effectively switches DKIM signing from using the initial \*.onmicrosoft.com domain to using the custom domain.
->
 > You can use a custom domain or subdomain to DKIM sign outbound mail only after the domain is successfully added to Microsoft 365. For instructions, see [Add a domain](/microsoft-365/admin/setup/add-domain#add-a-domain).
 >
 > The main factor that determines when a custom domain starts DKIM signing outbound mail is the CNAME record detection in DNS.
@@ -207,6 +205,15 @@ Proceed if the domain satisfies these requirements.
    **Hostname**: `selector2._domainkey`<br>
    **Points to address or value**: `selector2-contoso-com._domainkey.contoso.n-v1.dkim.mail.microsoft`
 
+   > [!TIP]
+   > As previously described in the [Syntax for DKIM CNAME records](#syntax-for-dkim-cname-records), your domain might require the old record syntax:
+   >
+   > Hostname: `selector1._domainkey`
+   > Points to address or value: `selector1-contoso-com._domainkey.contoso.onmicrosoft.com`
+   >
+   > Hostname: `selector2._domainkey`
+   > Points to address or value: `selector2-contoso-com._domainkey.contoso.onmicrosoft.com`
+
    Copy the information from the error dialog (select the text and press CTRL+C), and then select **OK**.
 
    Leave the domain details flyout open.
@@ -234,9 +241,7 @@ Proceed if the domain satisfies these requirements.
 
 ### Use the Defender portal to customize DKIM signing of outbound messages using the \*.onmicrosoft.com domain
 
-As described earlier in this article, the initial \*.onmicrosoft.com domain is automatically configured to sign all outbound mail from your Microsoft 365 organization, and you should [configure custom domains to DKIM sign outbound messages](#use-the-defender-portal-to-enable-dkim-signing-of-outbound-messages-using-a-custom-domain).
-
-But, you can also use the procedures in this section to affect DKIM signing using the \*.onmicrosoft.com domain:
+As described earlier in this article, outbound mail from senders in the initial \*.onmicrosoft.com domain is automatically DKIM signed by the initial \*.onmicrosoft.com domain. But, you can use the procedures in this section to affect DKIM signing using the \*.onmicrosoft.com domain:
 
 - Generate new keys. The new keys are automatically added and used in the Microsoft 365 datacenters.
 - Have the properties of the \*.onmicrosoft.com domain appear correctly in the details flyout of the domain on the **DKIM** tab of the **Email authentication settings** page at <https://security.microsoft.com/authentication?viewid=DKIM> or in PowerShell. This result allows for future operations on the DKIM configuration for the domain (for example, [manual key rotation](#rotate-dkim-keys)).
@@ -279,12 +284,12 @@ Proceed if the domain satisfies these requirements.
 
 ### Use Exchange Online PowerShell to configure DKIM signing of outbound messages
 
-If you'd rather use PowerShell to enable DKIM signing of outbound messages using a custom domain, or to customize DKIM signing for the \*.onmicrosoft.com domain, connect to [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to run the following commands.
+If you'd rather use PowerShell to enable DKIM signing of outbound messages using a custom domain, or to customize DKIM signing for the initial \*.onmicrosoft.com domain, connect to [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to run the following commands.
 
 > [!TIP]
 > Before you can configure DKIM signing using the custom domain, you need to add the domain to Microsoft 365. For instructions, see [Add a domain](/microsoft-365/admin/setup/add-domain#add-a-domain). To confirm that the custom domain is available for DKIM configuration, run the following command: `Get-AcceptedDomain`.
 >
-> As described earlier in this article, your \*.onmicrosoft.com domain is already signing outbound email by default. Typically, unless you manually configured DKIM signing for the \*.onmicrosoft.com domain in the Defender portal or in PowerShell, the \*.onmicrosoft.com doesn't appear in the output of **Get-DkimSigningConfig**.
+> As described earlier in this article, your \*.onmicrosoft.com domain is already signing outbound email from senders in the \*.onmicrosoft.com by default. Typically, unless you manually configured DKIM signing for the \*.onmicrosoft.com domain in the Defender portal or in PowerShell, the \*.onmicrosoft.com doesn't appear in the output of **Get-DkimSigningConfig**.
 
 1. Run the following command to verify the availability and DKIM status of all domains in the organization:
 
@@ -358,7 +363,7 @@ If you'd rather use PowerShell to enable DKIM signing of outbound messages using
 
      It takes a few minutes (or possibly longer) for Microsoft 365 to detect the new CNAME records that you created.
 
-   - **\*.onmicrosoft.com domain**: Go to Step 5.
+   - **\*.onmicrosoft.com domain**: Go to the next step.
 
 5. After a while, return to Exchange Online PowerShell, replace \<Domain\> with the domain that you configured, and run the following command:
 
@@ -505,10 +510,6 @@ For detailed syntax and parameter information, see the following articles:
 
 ## Disable DKIM signing of outbound messages using a custom domain
 
-As described earlier in this article, enabling DKIM signing of outbound messages using a custom domain effectively switches DKIM signing from using the \*.onmicrosoft.com domain to using the custom domain.
-
-When you disable DKIM signing using a custom domain, you aren't completely disabling DKIM signing for outbound mail. DKIM signing eventually switches back to using the \*.onmicrosoft domain.
-
 ### Use the Defender portal to disable DKIM signing of outbound messages using a custom domain
 
 1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>.
 
@@ -5,7 +5,7 @@ f1.keywords:
 author: chrisda
 ms.author: chrisda
 manager: bagol
-ms.date: 02/05/2025
+ms.date: 10/06/2025
 audience: ITPro
 ms.topic: overview
 ms.collection: 
@@ -45,6 +45,8 @@ You can use outbound spam filter policies to control automatic forwarding to ext
 - **On - Forwarding is enabled**: Automatic external forwarding is allowed and not restricted.
 - **Off - Forwarding is disabled**: Automatic external forwarding is disabled and results in a non-delivery report (also known as an NDR or bounce message) to the sender.
 
+:::image type="content" source="media/outbound-spam-protection-settings.png" alt-text="Screenshot of the Protection settings flyout in the properties of the default outbound spam filter policy with the Automatic forwarding rules options highlighted." lightbox="media/outbound-spam-protection-settings.png":::
+
 For instructions on how to configure these settings, see [Configure outbound spam filtering](outbound-spam-policies-configure.md).
 
 > [!NOTE]
@@ -57,7 +59,12 @@ For instructions on how to configure these settings, see [Configure outbound spa
 As an admin, you might use other controls to allow or block automatic email forwarding. For example:
 
 - [Remote domains](/exchange/mail-flow-best-practices/remote-domains/remote-domains) to allow or block automatic email forwarding to some or all external domains.
-- Conditions and actions in Exchange [mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) to detect and block automatically forwarded messages to external recipients.
+
+  :::image type="content" source="media/outbound-spam-remote-domains-auto-forwarding.png" alt-text="Screenshot of the Email reply types flyout in the properties of a remote domain in the Exchange admin center with the Allow automatic forwarding option highlighted." lightbox="media/outbound-spam-remote-domains-auto-forwarding.png":::
+
+- Conditions and actions in Exchange [mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) to detect and block automatically forwarded messages to external recipients by Inbox rules.
+
+  :::image type="content" source="media/outbound-spam-mail-flow-rule-detect-block-forwarded.png" alt-text="Screenshot of a mail flow rule to detect and block messages automatically forwarded to external recipients by Inbox rules." lightbox="media/outbound-spam-mail-flow-rule-detect-block-forwarded.png":::
 
 When one setting allows external forwarding, but another setting blocks external forwarding, the block typically wins. Examples are described in the following table: