One of the features of Microsoft Teams is the ability to send email to Team channels. When a channel receives an email, a new discussion thread is started, and the Team members can discuss the topic within Teams (replies do not go to the original sender of the email, it’s all contained within Teams).
There’s lots of scenarios where emailing a Team channel for discussion around a topic would be useful. Team members could forward an email about a new internal company announcement, or subscribe the team to external alert emails such as security bulletins. Really any “what do you think about this?” type of discussion is made easier by this feature.
However, there are some potential concerns that you should be aware of.
To email a Team channel you must first know the channel’s email address. Within Teams you can get the email address for a channel by opening the menu next to the channel name and choosing Get email address.
The email addresses for Team channels use Microsoft-owned domains. For my region, the domain is @apac.teams.ms.
The first time I tested emailing a channel I did so from an external address, and it worked straight away. That made me wonder what controls or protection can be applied to the channel emails. There are three settings that you can configure for a channel to control the email functionality. The options are accessed by clicking on the advanced settings link when retrieving a channel’s email address.
The default is to allow anyone to send emails to the address. For some organizations this will be a concern. Even though the channel email address is not easily guessable, there are customers who won’t accept security by obscurity. For those customers, choosing Only members of this team, or Only email sent from these domains can be used to reduce the perceived risk of abuse.
Unfortunately, those settings are configured on a per-channel basis. There is no PowerShell administration for Teams (yet?), so no apparent way to check every channel’s settings, or make bulk changes. There’s also no option to change the default behavior to one of the more secure settings. At the tenant-level, the only option is to completely enable or disable the channel email functionality.
That tenant-level setting really needs to be improved to allow administrators to set default email behavior for channels, or to block some of the options entirely (e.g. not allow wide open groups, thereby forcing channel owners to configure specific approved domains if they want external senders to email the channel).
As an aside, when the tenant-level option is set to Off, Teams users are not made aware of it. They are free to continue getting the email address for a channel and trying to send it emails. The sender will receive an NDR, but if the channel owner is trying to send emails from an external source (e.g. a reporting or alerting service) then they might not see those NDRs at all.
While I was playing around with this I started thinking about how the inbound emails to Teams channels are handled. If each team in my tenant has an @apac.teams.ms email address, where does that resolve to?
PS C:\> Resolve-DnsName -Name apac.teams.ms -Type mx
Name Type TTL Section NameExchange Preference
---- ---- --- ------- ------------ ----------
apac.teams.ms MX 3600 Answer apac-teams-ms.mail.protection.outlook.com 0
It seems that Teams emails go through Exchange Online Protection. I did a quick test by sending emails with and without a malware attachment (using the EICAR test string), and the email with the malware was not delivered. Which is what you would expect.
However that does raise a few questions about the level of protection being provided for Teams. If a customer is paying for EOP Advanced Threat Protection, do they receive that extra protection that ATP provides? It’s hard to say whether ATP Safe Attachments scanning is occurring, but it definitely appears that Safe Links policies are not applied to URLs within the emails. That makes sense, because the email itself never actually routes through your own EOP/EXO service. But in an ideal world the ATP protection you’re paying a premium for would protect you from all emails.
It also raises some potential issues for organizations that have specific security or compliance requirements. If an Office 365 customer requires that all email route through a third party spam filter, an on-premises server via centralized transport, be subject to certain transport rules, or is journaled away to a hosted archiving service, should that also include emails sent to Teams channels? I would say the answer to that question will vary for different customers. Some will consider emails to Teams channels to be different to regular email, while others will view them as the same thing.
Teams has just reached general availability, and the email to channels feature is brand new, so perhaps these capabilities will change over time to accommodate more customer requirements. In the meantime, if you are concerned about the current options available to you, it might be necessary to just completely disable emails to channels until more controls are made available.