Microsoft Adds Support For Custom '+' Email Addresses in Office 365

Microsoft is adding support for custom email addressing to Office 365 email services, a feature it hopes to complete in Q3 2020. From a report: Custom email addresses are an optional feature that some email providers can support. The feature is described in the RFC 5233 internet standard. Officially known as subaddressing, this standard allows users to extend their email address using "tags" or the plus (+) character, hence its two alternative names of tagged addressing or plus addressing. For example, a user with the email address of username@domain.com can use the plus addressing feature to extend their email address to username+tag@domain.com. If the user's email address supports subaddressing, all emails sent to the username+tag@domain.com email will land in the user's username@domain.com inbox.

This should have happened long ago

[Pikoro]

This has been available for decades. Gmail has supported this since its inception. My personal email server supports it as well. I use it to sort mails and find out who sold my address out. For example, if I ever received an email from username+slashdot@domain.com, that's not from slashdot, I'll know they sold the list. Been using this system for years.

Hate to say it but, good on Microsoft for finally implementing it. Now if we can just get websites to not reject an email input into a form with a + in it as an "invalid character".

Re:

[orlanz]

But wouldn't it be easy for programs to strip the tag out? Replace "\+.*@" with "@" and you have the generic? Apologies if I missed something, I am not very familar with this feature.

Re:

[DontBeAMoran]

That's what I'm thinking too, which is why I have a different alias for every company/website.

Re: This should have happened long ago

[saloomy]

Gmail did this with _ characters. Not ideal, but you could put an underscore character anywhere in the mailbox name (before the @) and Gmail would deliver the email. It would be better Iâ(TM)ll admit with _*@ so the star could be anything. The problem is the _ might be in the middle of a legitimate mailbox name john_doe would receive e-mail for john if John used john_doe to register some address with a website. You almost need a unique character like + but it will simply be ignored by spammers.

Re:

[tlhIngan]

Gmail did this with _ characters. Not ideal, but you could put an underscore character anywhere in the mailbox name (before the @) and Gmail would deliver the email. It would be better IÃ(TM)ll admit with _*@ so the star could be anything. The problem is the _ might be in the middle of a legitimate mailbox name john_doe would receive e-mail for john if John used john_doe to register some address with a website. You almost need a unique character like + but it will simply be ignored by spammers.

No, what

Re:

[RockDoctor]

No, what GMail did was inexcusable since _ is a valid character for an email address.

Having had a givenname_familyname@domain.co..TLD email address since before Google existed (possibly since before Brin and Wossname defended) ... well, I'm afraid I can't even say I'm surprised.

Re:

[RockDoctor]

And in good slashdot sense, I need to add an "s/\.\./\./".

I think.

Re:

[aardvarkjoe]

But wouldn't it be easy for programs to strip the tag out? Replace "\+.*@" with "@" and you have the generic? Apologies if I missed something, I am not very familar with this feature.

Yes; this feature isn't useful for the purposes of obscuring your real email address, and I'm sure that some spammers already remove the +extension from gmail addresses.

It's handy for sorting legitimate emails, though.

Re:

[Way, Way Smarter!]

I'm sure that some spammers already remove the +extension from gmail addresses.

Spammers vary in technical competence.

I have my own domain and mailserver and I see attempts to send email to "linked@<my domain>" in the logs. These obviously originate from the LinkedIn hack, since the email address that I registered with LinkedIn is <me>+linked@<my domain>.

TL;DR; The software many spammers use doesn't support "+" in email addresses.

Re:

[RockDoctor]

and I'm sure that some spammers already remove the +extension from gmail addresses.

Certainly they could do it. But I suspect that from a spammer's point of view, getting that far into the classification tree would have got you into a fairly small subset of people who are extremely unlikely to be profitable targets. For run-of-the-pork-processor spam - dick enlargement and cheap meds to a country with free prescriptions, for example - is it worth the computational cycles to try cleaning up the email address

Re:This should have happened long ago

[Zocalo]

That's exactly what competent spammers will do (yes, they do exist). A lot are too lazy or clueless, but there are enough that have sufficient clue to be annoying. It does provide a reasonable level of protection from semi-legit marketing types though - assuming they will actually let you use a "+" in the email field and not reject it as containing an "invalid character". There are a few additional tricks you can do however, the easiest is to require the throwaway - e.g. if you get email on plain "username@domain.com", then you can be almost 100% sure it's spam (almost, because this is likely to false positive on administrative emails from the mail server operator). Not all email providers will let you create rules to support this approach however.

If you have your own personal server, as the GP does, then you can take things one step further and use a dedicated email for each domain. A little harder to administer, but much more resilient - instead of "username+slashdot@domain.com", it's just "slashdot@domain.com". This is what I do on my own server, and it while it makes new signups a bit more convoluted as I need to create a new email alias as well, it's proven bulletproof so far - if/when spam starts being received, I can just delete the alias and the sending server simply gets a hard fail and optionally setup a new alias for the company concerned (or not, since they've presumably either been compromised or have sold my data). Once an address is compromised however those will persist for a *long* time since spammers seem to rarely - if ever - clean up their lists of defunct emails, but you could also repurpose it it as a spam trap.

Probably overkill, but if you are being targeted for spear phishing then the phisher might figure this out and try a dictionary attack of likely alternative sites though, e.g. "somebank@domain.com", so you if you are sufficiently paranoid and/or a genuinely high-risk target then you could also "salt" each email alias with a random number, e.g. "slashdot123@domain.com".

Re: This should have happened long ago

[Way Smarter Than You]

Or just ignore email from your bank. My bank only sends email that say I have a message on their web based system which requires me to login, anyway.

Re:

[Drishmung]

The original RFC822 specs for an address are in fact far less restrictive than many implementations allowed, and "+" has always been a valid character, according to RFC822.

addr-spec = local-part "@" domain
local-part = word *("." word) ; Case preserved as a matter of interest
word = atom / quoted-string ; so "Hello sailor!"@example.com is valid
atom = 1*<any CHAR except specials, SPACE and CTLs>
CHAR = <any ASCII character>
specials = parentheses, < and

Re:

[Anonymous Coward]

You can set the extra character to whatever you want if it's your own email server.
set it to "p" and you can have orlanzpslashdot@orlanz.tld or even orlanzpdrpepper@orlanz.tld and both with hit orlanz@orlanz.tld, but there's no way they'd know that no user on your email server can have "p" in their username.
In this case, yes. Removing + and . are easy and often done.

Re:

[orlanz]

[face palm]. Man, I never thought of that! One of those things that are obvious once someone states it. I used to mess around with what Zocalo said back when Microsoft bought Hotmail. slashdot@orlanz.tld, but found it too much work and moved on.

Drat, a missed opportunity but learned something today. If only email could send to the past.

Re:

[swilver]

You could reject any mail coming in without a tag... :)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[dissy]

But wouldn't it be easy for programs to strip the tag out? Replace "\+.*@" with "@" and you have the generic?

When used for sorting, it doesn't matter since the generic email without a plus tag will still go to your inbox.

When used for filtering, you're supposed to have the non-plus address filtered to your spam folder.
They would need to guess an existing and not blocked tag

A spammer could certainly guess at valid tags. me+amazon@ would be allowed through for instance.
It's akin to guessing common addresses on a domain name such as support@ or sales@

But it's been over 30 years and it still isn't common practice for

Re: This should have happened long ago

[BAReFO0t]

Not a problem.

The idea is to generally dump everything that isn't coming from an address in your address book, an doesn't use a "+" tag into "Spam" by default.

Or, if you want to go further, ONLY receive mail for previously whitelisted "+$uniqueID"s.

If you are a business, that needs to receive mail from strangers, then e-mail address sharing is welcom anyway, and for spam you can look into greylisting to filter out 90%, and then amavisd with spamd and some anti-spam networks for more filtering. At least that

Re:

[Ded Bob]

I agree with the E-mail forms that on websites that block the + character. Amusingly, I need to change my E-mail for one site where the form allows it, but the backend does not send to it.

Re:

[aardvarkjoe]

I agree with the E-mail forms that on websites that block the + character. Amusingly, I need to change my E-mail for one site where the form allows it, but the backend does not send to it.

I had this happen once where I was able to successfully create an account with a '+' address, but then found that their login page wouldn't accept the email address that I had created the account with. Apparently whoever developed that site didn't believe in code re-use.

Re: This should have happened long ago

[BAReFO0t]

E-Bay has this problem.
Logging in fails with no useful reason give .

Re:This should have happened long ago

[omnichad]

Aside from this special use case from specific providers, the + symbol is allowed in standard non-tagged email addresses. This is as dumb as blocking exclamation points in passwords.

Re:

[Pig Hogger]

Yes, but blocking exclamation points in password makes baby Jesus cry, because he was not conceived by banging.

Re:

[drinkypoo]

I was just going to say, virtually all email verifiers choke on bang paths. If you don't want spam, just go back to UUCP! Of course, you probably won't really get any mail, but that has its up sides as well...

Re: This should have happened long ago

[BAReFO0t]

Riiiggt. Mommy definitely wasn't a whore. ;)

Re:

[DaTrueDave]

Allowed, but it's no longer standard. Read the internet standard: RFC 5233

Re:

[erh]

Gmail allows it, but certainly doesn't make it easy to use. Though you can receive emails with a plus sign, if you want to respond from one you need to manually add it as an "alias". They really should make that automatic, and also let you edit the from address on-the-fly while composing an email.
I wonder if O365 will get this right?

Re:

[samwichse]

I find about 3/4 of the websites I try let me use the "+"

The ones that reject it are kind of random. Sometimes old rickety stuff that doesn't look like it has been updated in forever works fine, and new shiny sites fail. I can't figure a pattern, so I guess it's mostly the sites they don't think to check for it to reject it.

Re:

[NicknameUnavailable]

This has been available for decades. Gmail has supported this since its inception. My personal email server supports it as well. I use it to sort mails and find out who sold my address out. For example, if I ever received an email from username+slashdot@domain.com, that's not from slashdot, I'll know they sold the list. Been using this system for years.

Hate to say it but, good on Microsoft for finally implementing it. Now if we can just get websites to not reject an email input into a form with a + in it as an "invalid character".

True, but it should also be able to use arbitrary characters/strings as the separator. It doesn't help prevent spam when spammers can just drop the part after a + in an email address they've acquired.

Re:

[Way, Way Smarter!]

It doesn't help prevent spam when spammers can just drop the part after a + in an email address they've acquired.

Spammers don't care about the few people who know about plus-addressing and are likely to recognize SPAM for what it is and ignore it. Instead, what I have seen is that spammers drop the part before the "+". Obviously, this doesn't work, but it does appear in my mailserver's logs.

Re:

[Duhavid]

"True, but it should also be able to use arbitrary characters/strings as the separator. It doesn't help prevent spam when spammers can just drop the part after a + in an email address they've acquired"

It would not matter. If the character/string used as a separator is outside the allowable characters in an email address, the spammers will use that just as readily as the '+' sign. If they are not outside the allowable characters ( so, they would be otherwise valid email addresses ), the email provider/doma

Re:

[NicknameUnavailable]

Things like dots a hyphens are common enough in email addresses that using either as a separator would work because it couldn't just be stripped out wholesale.

Does SMTP or MS allow for actual innovation?

[shanen]

Congratulations on a good and relevant FP. How did you [Pikoro] slip it past the sleeping trolls?

I actually agree with your "should have happened long ago" Subject, but not with the ambiguous "This". There are far too many things that should have happened long ago. Most of them persist in not happening, even when lots of people agree that they are obviously good things that should happen. This plus-sign-unique-address seems to qualify under the "no brainer" tag, but it does make me wonder about what happens

Re:

[Krishnoid]

Now if we can just get websites to not reject an email input into a form with a + in it as an "invalid character".

It's hit-or-miss. It would be very helpful to have a reference article [nytimes.com] -- or better yet, a web page -- describing that it's part of the email standard, describe which email services support it, and indicate why you want to use it for better separation of concerns in your inbox.

That way if multiple people complained and provided the link, the various customer support worker bees could forward something up the chain to get the request sent down to the web developers to get it fixed. Even better if it contai

Re:

[misnohmer]

Microsoft Exchange has had wildcard support for ages (I've been using it for well over a decade now, using a different character than "+" but that is configurable). I'm surprised it took this long to make Office offering. Or maybe it's been there for a long time, just never advertised?

Re:

[swilver]

If a website doesn't accept the +, but does accept dots, then add another dot somewhere. Gmail ignores those too when delivering. my.mail = mymail = m.y.m.a.i.l etc...

Re:This should have happened long ago

[smokescr]

Firstly, to appease the SEC, I work for Microsoft and I'm actually working on this feature. Our consumer offering Outlook.com (hotmail.com) has had this for years, so this project is specifically about adding the functionality for our Enterprise Exchange Online service. That said, it could have been added a while ago. Historically, one of the reasons we were dissuaded from adding support was that our customers have been able to create mailboxes in Exchange using the plus character and that threatened compatibility issues. We are making it an opt-in feature knowing that some customers neither want it nor can use it together with existing mailboxes with plus characters. Other priorities also won over as this was not seen as a critical business user need. We have, however, been taking feedback from our Uservoice site (office365.uservoice.com) and this feature ask grew and grew. The feature is already complete and we're beta testing it at the moment. Please let me know if you have any questions. On a personal note, I'm really proud that a feature I fought to get developed has made it on to Slashdot, where I have been getting my tech news for over a decade.

Re: This should have happened long ago

[madsh]

So how do you support this on the server side? I suggested to Gmail many years ago, that incoming mail was automatically labelled/tagged with the part after the +-sign. But I think Outlook is still each mail in one folder?

Re:

[smokescr]

The message will be delivered with a To: header equal to the plus address. That allows our users to create an inbox rule to act on it such as move it to a folder like you mention.

Re:

[kriston]

Carnegie Mellon University email accounts had the + sign in them since forever but they didn't use them in the ways described here.

Re:

[Lews Therin Telamon]

I have been using this with Outlook for years as well. I wonder if they are adding more functionality to their implementation? Perhaps adding auto aliasing. Or was this just not available to people who pay for O365? I only use free accounts currently with Outlook.

Won't help if it's widely adopted

[Solandri]

For example, if I ever received an email from username+slashdot@domain.com, that's not from slashdot, I'll know they sold the list.

That only works because it's relatively rare and obscure. As soon as the + usage becomes common, spammers will simply run their email lists through an awk script to remove everything from the + to the @. Not just to protect their list sources, but to prevent emails sent to a + address from being filtered out. Once you remove everything from the + to the @, you have the targe

So What?

[AvitarX]

Google does (used to do anyway) this, but nowhere let me add a + to my email address when I signed up, so it was useless.

Re:

[theNetImp]

I don't know what sites you're using but 90% of the ones I use allow the + and I "alias" my address pretty much everywhere...

Re:

[AvitarX]

I stopped trying years ago, so I guess things have changed.

Re:

[swilver]

Then use another trick. Gmail ignores dots as well when delivering mail. So my.mail@gmail.com is the same as mymail or m.y.mail or mym.ail etc...

It's definitely not useful as a spam-tracer

[shankarunni]

I've heard it said that you can use +xyz suffixes to track who's selling your info online. That's BS, of course - every e-mail harvester has figured out ages ago that you can just strip anything '+xyz' at the end of user names. If it's a convention, it's easy to circumvent it for malicious purposes.

Re:

[Anonymous Coward]

How does that work if you only use + addresses as legitimate, everything without the + just goes to trash?

Re:

[theNetImp]

^^^^^^^ Totally this...

Re:

[N1AK]

Given that quite a few sites won't accept email addresses with + symbols then unless you're happy not to use any site that doesn't then this isn't viable.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[hatman9]

if spammers just strip everything after the +, use your default as the spam folder and add a + to every real address you use

Re:

[shanen]

But you can use the feature for filtering with a reverse spin. You can filter against email that doesn't have a +xyz at the end and make sure your real correspondents know that its required to reach you.

Whoops. If that became popular as a strategy then then spammers would start spamming with +xyz too. Marginal cost remains too close to zero. *sigh* You can't one-up the downers.

I still think the best approach is to break the spammers' business models. Proof of concept in the disappearance of pump-and-dump st

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[shanen]

Lost and now twice replaced reply asked for clarification.

Re:

[SpaceBoyToy]

You are exactly right which is why I now submit false names to places where my name doesn't matter. Every time I get an email sent to "Fred" (my name isn't Fred), I know the information was sold. I use the last name, and sometimes a suffix in the first name, to tag the origin site.

Re:

[dissy]

That's BS, of course - every e-mail harvester has figured out ages ago that you can just strip anything '+xyz' at the end of user names

Which is fine, all email addressed to me without a plus tag is filtered into the spam folder already.

That's how allow-lists work. username+tag gets added to the list to allow delivery.
Any address not on that list is filtered out as junk, including without a plus tag.

That's when you know Microsoft has slipped

[Rosco P. Coltrane]

They used to be the evil monopoly that regularly broke standards and forced their own, incompatible stuff down everybody's throats just because they could, to capture even more market by force. Now the devil has taken residence at Google, and Microsoft is forced to play nice with the open-source community and follow the rules like everybody else.

Oh the irony.

Re:

[Merk42]

Google has issues, but deliberately not following standards and forcing proprietary stuff because they can, and in order to promote vendor lock-in, is more of an Apple thing.

hyperaggressive parsing issues

[MrLint]

I've been using this feature in gmail for ages but LOTS of sites are incorrectly aggressive on their email validation and dfecide they know whats right about the 'local part'. Even to the point where i've had one place say they block it on purpose because of 'aliases'

Re:

[swilver]

Then use extra dots, let's see them block those ;)

Backend issues

[dwillmore]

I've been doing this with my email for a long time. A few years ago, we bought a Hyundai with their BlueLink feature. For that to work, I had to create an account on their web site. I used a +hyundai tag on my email address. Account creation went fine and I got a few emails welcoming me to their service. But, once I went to the bluelink page from my account, nothing worked. Just a blank page like some script never finished rendering. It took over 8 weeks with their tech support to realize that someo

Question

[Kokuyo]

Does Office365 allow for blocking by tag? THAT would be useful. Something akin to spamgourmet.

Surprised that it's all RFC?

[aitikin]

Are all standards such as this RFC (Request for Comment)? I would've expected there to be some sort of standardizing body...although, I'm reminded of the xkcd about standards...

Re:

[kackle]

It's interesting to visit the older ones. Example [ietf.org].

Re:

[JasterBobaMereel]

It's an open standard system - if it's useful it gets adopted, if most adopt it then everyone does

there are plenty that are not generally adopted - and now largely ignored or superseded

Underscores_are_better

[bustinbrains]

Web forms don't block the underscore, it looks legit, and is roughly the same difficulty level to set up as '+'.

Multiple addresses is easier

[DogDude]

It's much simpler, and much more accepted worldwide, to just make a whole bunch of email aliases for throwaway stuff, and not try to use a "+". I just added another one this morning, and from looking at the list, it looks like I've got ~20 for my personal email account.

I wonder if they will do dots too

[Paxtez]

GMail ignores dots in undernames so: John.Smith@gmail.com is the same as JOHNSMITH@gmail.com and j.o.h.n.s.m.i.t.h@gmail.com.

Which can also be used for spammy types. Put a dot in a certain character for throwaways and filter those to the trash. While some spam harvesters might strip dotsk, it is less likely since some domains need them.

Plus you could always put a dot in a certain position, and set it so anything without the dot gets filtered.