News: 0133356194

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Microsoft Adds Support For Custom '+' Email Addresses in Office 365 (zdnet.com)

(Tuesday July 14, 2020 @01:33PM (msmash) from the moving-forward dept.)


Microsoft is adding support for [1]custom email addressing to Office 365 email services , a feature it hopes to complete in Q3 2020. From a report:

> Custom email addresses are an optional feature that some email providers can support. The feature is described in the RFC 5233 internet standard. Officially known as subaddressing, this standard allows users to extend their email address using "tags" or the plus (+) character, hence its two alternative names of tagged addressing or plus addressing. For example, a user with the email address of username@domain.com can use the plus addressing feature to extend their email address to username+tag@domain.com. If the user's email address supports subaddressing, all emails sent to the username+tag@domain.com email will land in the user's username@domain.com inbox.



[1] https://www.zdnet.com/article/microsoft-adds-support-for-custom-email-addresses-in-office-365/

This should have happened long ago (Score:5, Interesting)

by Pikoro ( 844299 )

This has been available for decades. Gmail has supported this since its inception. My personal email server supports it as well. I use it to sort mails and find out who sold my address out. For example, if I ever received an email from username+slashdot@domain.com, that's not from slashdot, I'll know they sold the list. Been using this system for years.

Hate to say it but, good on Microsoft for finally implementing it. Now if we can just get websites to not reject an email input into a form with a + in it as an "invalid character".

Re: (Score:2)

by orlanz ( 882574 )

But wouldn't it be easy for programs to strip the tag out? Replace "\+.*@" with "@" and you have the generic? Apologies if I missed something, I am not very familar with this feature.

Re: (Score:2)

by DontBeAMoran ( 4843879 )

That's what I'm thinking too, which is why I have a different alias for every company/website.

Re: This should have happened long ago (Score:2)

by saloomy ( 2817221 )

Gmail did this with _ characters. Not ideal, but you could put an underscore character anywhere in the mailbox name (before the @) and Gmail would deliver the email. It would be better IĆ¢(TM)ll admit with _*@ so the star could be anything. The problem is the _ might be in the middle of a legitimate mailbox name john_doe would receive e-mail for john if John used john_doe to register some address with a website. You almost need a unique character like + but it will simply be ignored by spammers.

Re: (Score:2)

by aardvarkjoe ( 156801 )

> But wouldn't it be easy for programs to strip the tag out? Replace "\+.*@" with "@" and you have the generic? Apologies if I missed something, I am not very familar with this feature.

Yes; this feature isn't useful for the purposes of obscuring your real email address, and I'm sure that some spammers already remove the +extension from gmail addresses.

It's handy for sorting legitimate emails, though.

Re: (Score:1)

by Way, Way Smarter! ( 6878018 )

> I'm sure that some spammers already remove the +extension from gmail addresses.

Spammers vary in technical competence.

I have my own domain and mailserver and I see attempts to send email to "linked@" in the logs. These obviously originate from the LinkedIn hack, since the email address that I registered with LinkedIn is +linked@.

TL;DR; The software many spammers use doesn't support "+" in email addresses.

Re: (Score:2)

by Zocalo ( 252965 )

That's exactly what competent spammers will do (yes, they do exist). A lot are too lazy or clueless, but there are enough that have sufficient clue to be annoying. It does provide a reasonable level of protection from semi-legit marketing types though - assuming they will actually let you use a "+" in the email field and not reject it as containing an "invalid character". There are a few additional tricks you can do however, the easiest is to require the throwaway - e.g. if you get email on plain "userna

Re: This should have happened long ago (Score:2)

by Way Smarter Than You ( 6157664 )

Or just ignore email from your bank. My bank only sends email that say I have a message on their web based system which requires me to login, anyway.

Re: (Score:2)

by Ded Bob ( 67043 )

I agree with the E-mail forms that on websites that block the + character. Amusingly, I need to change my E-mail for one site where the form allows it, but the backend does not send to it.

Re: (Score:2)

by aardvarkjoe ( 156801 )

> I agree with the E-mail forms that on websites that block the + character. Amusingly, I need to change my E-mail for one site where the form allows it, but the backend does not send to it.

I had this happen once where I was able to successfully create an account with a '+' address, but then found that their login page wouldn't accept the email address that I had created the account with. Apparently whoever developed that site didn't believe in code re-use.

Re: (Score:2)

by omnichad ( 1198475 )

Aside from this special use case from specific providers, the + symbol is allowed in standard non-tagged email addresses. This is as dumb as blocking exclamation points in passwords.

Re: (Score:1)

by erh ( 62820 )

Gmail allows it, but certainly doesn't make it easy to use. Though you can receive emails with a plus sign, if you want to respond from one you need to manually add it as an "alias". They really should make that automatic, and also let you edit the from address on-the-fly while composing an email.

I wonder if O365 will get this right?

Re: (Score:2)

by samwichse ( 1056268 )

I find about 3/4 of the websites I try let me use the "+"

The ones that reject it are kind of random. Sometimes old rickety stuff that doesn't look like it has been updated in forever works fine, and new shiny sites fail. I can't figure a pattern, so I guess it's mostly the sites they don't think to check for it to reject it.

Re: (Score:2)

by NicknameUnavailable ( 4134147 )

> This has been available for decades. Gmail has supported this since its inception. My personal email server supports it as well. I use it to sort mails and find out who sold my address out. For example, if I ever received an email from username+slashdot@domain.com, that's not from slashdot, I'll know they sold the list. Been using this system for years.

> Hate to say it but, good on Microsoft for finally implementing it. Now if we can just get websites to not reject an email input into a form with a + in it as an "invalid character".

True, but it should also be able to use arbitrary characters/strings as the separator. It doesn't help prevent spam when spammers can just drop the part after a + in an email address they've acquired.

Re: (Score:1)

by Way, Way Smarter! ( 6878018 )

> It doesn't help prevent spam when spammers can just drop the part after a + in an email address they've acquired.

Spammers don't care about the few people who know about plus-addressing and are likely to recognize SPAM for what it is and ignore it. Instead, what I have seen is that spammers drop the part before the "+". Obviously, this doesn't work, but it does appear in my mailserver's logs.

Re: (Score:2)

by Duhavid ( 677874 )

"True, but it should also be able to use arbitrary characters/strings as the separator. It doesn't help prevent spam when spammers can just drop the part after a + in an email address they've acquired"

It would not matter. If the character/string used as a separator is outside the allowable characters in an email address, the spammers will use that just as readily as the '+' sign. If they are not outside the allowable characters ( so, they would be otherwise valid email addresses ), the email provider/doma

Does SMTP or MS allow for actual innovation? (Score:2)

by shanen ( 462549 )

Congratulations on a good and relevant FP. How did you [Pikoro] slip it past the sleeping trolls?

I actually agree with your "should have happened long ago" Subject, but not with the ambiguous "This". There are far too many things that should have happened long ago. Most of them persist in not happening, even when lots of people agree that they are obviously good things that should happen. This plus-sign-unique-address seems to qualify under the "no brainer" tag, but it does make me wonder about what happens

So What? (Score:3)

by AvitarX ( 172628 )

Google does (used to do anyway) this, but nowhere let me add a + to my email address when I signed up, so it was useless.

Re: (Score:2)

by theNetImp ( 190602 )

I don't know what sites you're using but 90% of the ones I use allow the + and I "alias" my address pretty much everywhere...

It's definitely not useful as a spam-tracer (Score:4, Interesting)

by shankarunni ( 1002529 )

I've heard it said that you can use +xyz suffixes to track who's selling your info online. That's BS, of course - every e-mail harvester has figured out ages ago that you can just strip anything '+xyz' at the end of user names. If it's a convention, it's easy to circumvent it for malicious purposes.

Re: (Score:2, Insightful)

by Anonymous Coward

How does that work if you only use + addresses as legitimate, everything without the + just goes to trash?

Re: (Score:2)

by theNetImp ( 190602 )

^^^^^^^ Totally this...

Re: (Score:1)

by hatman9 ( 6732920 )

if spammers just strip everything after the +, use your default as the spam folder and add a + to every real address you use

Re: (Score:2)

by shanen ( 462549 )

But you can use the feature for filtering with a reverse spin. You can filter against email that doesn't have a +xyz at the end and make sure your real correspondents know that its required to reach you.

Whoops. If that became popular as a strategy then then spammers would start spamming with +xyz too. Marginal cost remains too close to zero. *sigh* You can't one-up the downers.

I still think the best approach is to break the spammers' business models. Proof of concept in the disappearance of pump-and-dump st

Re: (Score:1)

by SpaceBoyToy ( 2633691 )

You are exactly right which is why I now submit false names to places where my name doesn't matter. Every time I get an email sent to "Fred" (my name isn't Fred), I know the information was sold. I use the last name, and sometimes a suffix in the first name, to tag the origin site.

That's when you know Microsoft has slipped (Score:2)

by Rosco P. Coltrane ( 209368 )

They used to be the evil monopoly that regularly broke standards and forced their own, incompatible stuff down everybody's throats just because they could, to capture even more market by force. Now the devil has taken residence at Google, and Microsoft is forced to play nice with the open-source community and follow the rules like everybody else.

Oh the irony.

Re: (Score:2)

by Merk42 ( 1906718 )

Google has issues, but deliberately not following standards and forcing proprietary stuff because they can, and in order to promote vendor lock-in, is more of an Apple thing.

hyperaggressive parsing issues (Score:2)

by MrLint ( 519792 )

I've been using this feature in gmail for ages but LOTS of sites are incorrectly aggressive on their email validation and dfecide they know whats right about the 'local part'. Even to the point where i've had one place say they block it on purpose because of 'aliases'

Backend issues (Score:2)

by dwillmore ( 673044 )

I've been doing this with my email for a long time. A few years ago, we bought a Hyundai with their BlueLink feature. For that to work, I had to create an account on their web site. I used a +hyundai tag on my email address. Account creation went fine and I got a few emails welcoming me to their service. But, once I went to the bluelink page from my account, nothing worked. Just a blank page like some script never finished rendering. It took over 8 weeks with their tech support to realize that someo

Question (Score:2)

by Kokuyo ( 549451 )

Does Office365 allow for blocking by tag? THAT would be useful. Something akin to spamgourmet.

Surprised that it's all RFC? (Score:2)

by aitikin ( 909209 )

Are all standards such as this RFC (Request for Comment)? I would've expected there to be some sort of standardizing body...although, I'm reminded of the xkcd about standards...

Re: (Score:2)

by kackle ( 910159 )

It's interesting to visit the older ones. [1] Example [ietf.org].

[1] https://tools.ietf.org/html/rfc821

Underscores_are_better (Score:1)

by bustinbrains ( 6800166 )

Web forms don't block the underscore, it looks legit, and is roughly the same difficulty level to set up as '+'.

Multiple addresses is easier (Score:2)

by DogDude ( 805747 )

It's much simpler, and much more accepted worldwide, to just make a whole bunch of email aliases for throwaway stuff, and not try to use a "+". I just added another one this morning, and from looking at the list, it looks like I've got ~20 for my personal email account.

<darkangel> I generally don't use anything that has "experimental" and
"warning" pasted all over it
<darkangel> no, I'm not that dumb... hehe
<Knghtbrd> ...
* darkangel considers downloading the latest unstable kernel