One of the features of Microsoft Teams is the ability to send email to Team channels. When a channel receives an email, a new discussion thread is started, and the Team members can discuss the topic within Teams (replies do not go to the original sender of the email, it’s all contained within Teams).

There’s lots of scenarios where emailing a Team channel for discussion around a topic would be useful. Team members could forward an email about a new internal company announcement, or subscribe the team to external alert emails such as security bulletins. Really any “what do you think about this?” type of discussion is made easier by this feature.

However, there are some potential concerns that you should be aware of.

To email a Team channel you must first know the channel’s email address. Within Teams you can get the email address for a channel by opening the menu next to the channel name and choosing Get email address.

How Secure is Sending Emails to Microsoft Teams Channels?

The email addresses for Team channels use Microsoft-owned domains. For my region, the domain is @apac.teams.ms.

How Secure is Sending Emails to Microsoft Teams Channels?

The first time I tested emailing a channel I did so from an external address, and it worked straight away. That made me wonder what controls or protection can be applied to the channel emails. There are three settings that you can configure for a channel to control the email functionality. The options are accessed by clicking on the advanced settings link when retrieving a channel’s email address.

How Secure is Sending Emails to Microsoft Teams Channels?

The default is to allow anyone to send emails to the address. For some organizations this will be a concern. Even though the channel email address is not easily guessable, there are customers who won’t accept security by obscurity. For those customers, choosing Only members of this team, or Only email sent from these domains can be used to reduce the perceived risk of abuse.

Unfortunately, those settings are configured on a per-channel basis. There is no PowerShell administration for Teams (yet?), so no apparent way to check every channel’s settings, or make bulk changes. There’s also no option to change the default behavior to one of the more secure settings. At the tenant-level, the only option is to completely enable or disable the channel email functionality.

How Secure is Sending Emails to Microsoft Teams Channels?

That tenant-level setting really needs to be improved to allow administrators to set default email behavior for channels, or to block some of the options entirely (e.g. not allow wide open groups, thereby forcing channel owners to configure specific approved domains if they want external senders to email the channel).

As an aside, when the tenant-level option is set to Off, Teams users are not made aware of it. They are free to continue getting the email address for a channel and trying to send it emails. The sender will receive an NDR, but if the channel owner is trying to send emails from an external source (e.g. a reporting or alerting service) then they might not see those NDRs at all.

How Secure is Sending Emails to Microsoft Teams Channels?

While I was playing around with this I started thinking about how the inbound emails to Teams channels are handled. If each team in my tenant has an @apac.teams.ms email address, where does that resolve to?

PS C:\> Resolve-DnsName -Name apac.teams.ms -Type mx

Name               Type   TTL   Section    NameExchange                              Preference
----               ----   ---   -------    ------------                              ----------
apac.teams.ms      MX     3600  Answer     apac-teams-ms.mail.protection.outlook.com 0

It seems that Teams emails go through Exchange Online Protection. I did a quick test by sending emails with and without a malware attachment (using the EICAR test string), and the email with the malware was not delivered. Which is what you would expect.

However that does raise a few questions about the level of protection being provided for Teams. If a customer is paying for EOP Advanced Threat Protection, do they receive that extra protection that ATP provides? It’s hard to say whether ATP Safe Attachments scanning is occurring, but it definitely appears that Safe Links policies are not applied to URLs within the emails. That makes sense, because the email itself never actually routes through your own EOP/EXO service. But in an ideal world the ATP protection you’re paying a premium for would protect you from all emails.

It also raises some potential issues for organizations that have specific security or compliance requirements. If an Office 365 customer requires that all email route through a third party spam filter, an on-premises server via centralized transport, be subject to certain transport rules, or is journaled away to a hosted archiving service, should that also include emails sent to Teams channels? I would say the answer to that question will vary for different customers. Some will consider emails to Teams channels to be different to regular email, while others will view them as the same thing.

Teams has just reached general availability, and the email to channels feature is brand new, so perhaps these capabilities will change over time to accommodate more customer requirements. In the meantime, if you are concerned about the current options available to you, it might be necessary to just completely disable emails to channels until more controls are made available.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Charlie

    Hi Paul
    I have set up a private channel for some users and its email address works when the members of the channel send to it: the emails appear inline in channel posts.

    When someone else in the organisation sends an email, however, it does not appear DESPITE there being no restrictions at the org level or on the channel level about who can send.
    The non-member sender gets an NDR, but the email is actually delivered to the “Email Messages” folder in files, but not inline in the posts.

    I’ve tried with a test Team in our tenancy and the same happens.
    I can only think this is a bug. Am I missing something?

  2. joe

    I have an ID of a38af17.mydomain.com@apac.team.us, but how can i tell which Team Channel my user send the email to

    I tried to go into Team Admin Center , and the Group ID did not match the email a38af17

  3. Donnie Alcala

    Thank you a lot for sharing this with all of
    us you actually recognise what you are talking about!
    Bookmarked. Kindly also visit my site =). We could have a hyperlink trade agreement between us

  4. Gautam

    for “If an Office 365 customer requires that all email route through a third party spam filter, an on-premises server via centralized transport, be subject to certain transport rules, or is journaled away to a hosted archiving service, should that also include emails sent to Teams channels?” Do you see connectors a viable solution to route messages to on-prem infra and then send it out using gateway of on-prem.

    Can you please suggest something around it? Please be informed so far HCW is not configured.

  5. Nigel

    What licencing plans do you need for “Teams” to work ?

    1. Paul Cunningham

      Currently Office 365 Business Essentials, Business Premium, and Enterprise E1, E3, and E5 plans.

Leave a Reply