Accessible External Email Warnings

Aug 24, 2021

Firstly, I apologize for not posting more articles in the last six months. I have a lot of content half written but my health has not been great since late 2020, and work got in the way.

In a departure from End User Compute, this article is about Exchange Online. I work across Microsoft 365 and very occasionally work on something that I have not seen an article about.

Recently I worked on applying a warning message to external emails received by Exchange Online. The method for applying a warning is tried and tested - use a mail transport rule to prepend a warning message to the body of the email. The most recent phishing test caught a lot of users out because the original external warning was a plain text warning message prepended to the message body. Users became normalized to the message and ignored the warning on the phishing test.

Our solution was a color coded banner with two grades of warning.

An Amber warning for emails that pass SPF, DKIM and DMARC checks
A Red warning for emails that fail SPF, DKIM and DMARC checks

The new warning messages were very visible but we ran into a problem with a color-blind colleague who struggled with the Amber/Red primary colour scheme. So we adjusted the color scheme to improve the visual contrast for both the visually impaired and normal sighted. The solution was a neat solution so I thought it was worth writing up so someone else can re-use what we learned.

I hope that this solution helps someone else with a similar technical requirement.

Authentication Checks

Email authentication checks are checks that the receiving email server can perform to confirm that the email was genuine. We rely on three types of email authentication check:

Sender Policy Framework (SPF)
DomainKeys Identified Mail (DKIM)
Domain-based Message Authentication, Reporting & Conformance (DMARC)

Microsoft have a good primer on how the three types of authentication check work [LINK] if you want to learn more.

When Exchange Online receives an email, the three factors are verified using the published DNS records for the sender domain. The results of the check are inserted into the message header of the email message as the Authentication-Results header. The screenshot below shows the results of the authentication when I passed the message header of a test email through the Message Header Analyzer [LINK].

You can see that all three authentication factors were marked as Pass. This means that it is likely this is an email from a legitimate sender.

We identified the following factors that would cause an email to be marked as high risk.

SPF=Fail
DKIM=Fail
DKIM=None
DMARC=Fail

Our experiments with DMARC=None showed that many legitimate emails were marked as high risk because the recipient domains had no DMARC policy DNS records. We fell back to only marking an email as high risk if DMARC checks failed.

The Warning Banners (Version 1)

Our first attempt at color coded warning banners is shown below.

We did some initial testing but quickly ran into accessibility issues. One of my colleagues is color blind and the warnings were just a blur. The contrast between the background and the text was also a challenge for those that were not visually impaired.

Adjusting for Visual Impairment

We used the CoBliS - Color Blindness Simulator [LINK] to simulate the color schemes across a range of shades. The tool allows you to upload an image then simulate a range of conditions.

After experimentation and a review of online guidance, we adjusted the color shades so that there was enough Red, Green and Blue pigment in the colors to maintain strong contrast across a range of visual impairments. The specific shades that we used were.