What are onmicrosoft.com and gappssmtp.com?

Have you ever run across the domains onmicrosoft.com and gappssmtp.com in email headers before? Wondering what they are for and why they are there? Read on!

In this modern age where email authentication is an absolute necessity, both Google and Microsoft include functionality in their business email hosting (Google Workspace and O365) to automatically enable some version of DomainKeys Identified Mail (DKIM) directly out of the box. They do this by automatically applying a default DKIM signature (using a domain of their own) to your outbound email messages when you first set up these services.

For Microsoft, they use a subdomain under “onmicrosoft.com.” The subdomain is the “tenant name” the admin of this O365 instance picked when first creating it. For example, when I signed up for an O365 demo for Spam Resource, I chose “spamresource” as my tenant name, so my default subdomain was “spamresource.onmicrosoft.com.”

For Google, this is a bit more automatic and less visible. They will just automatically assign a DKIM key of some version of your-domain.(date).gappssmtp.com, like for example, spamresource-com.20150623.gappssmtp.com.

If you don’t fully configure a domain name in O365, you’ll be sending emails from (subdomain).onmicrosoft.com – for example, al@spamresource.onmicrosoft.com.

Though both services set this up for you by default, this configuration is suboptimal. It isn’t really compatible with DMARC, and it’s never good to rely on somebody else’s domain for your own sender reputation. Bad guys love to do stuff like never finish fully setting up a custom domain, so they can exploit the reputation of the default domains in use, and this often results in those default domains having a poor reputation. (This is not specific to Google or O365; I’ve seen people try to exploit many other platforms in this way.)

Google also has two other domains, 1e100.net, and *.test-google-a.com. I see 1e100.net being used in a DKIM signature assigned to a secondary domain configured in G Suite (where DKIM isn't fully configured yet), and if your domain in G Suite is spamresource.com, you'll see spamresource.com.test-google-a.com in your list of domains in your Google Admin Console. Same recommendations apply; you don't want to conduct email business over time while relying on DKIM signatures from any of these temporary or shared domains to help build up your sending reputation.

What should you do when setting up Google Workspace or Microsoft Office 365 and you see these domains in your configuration? You should always proceed to fully complete configuration of email authentication (DKIM) for your domain, in whatever email platform you send mail from. Google explains how to do this here, and Microsoft explains how to do so here.

In case you’re wondering, gappssmtp supposedly stands for “Google Apps SMTP” while onmicrosoft tells the world that you’re hosting your email or other service “on Microsoft.”

And now you know.
Post a Comment