For all Microsoft Office 365 Webmail users who regularly use its webmail, here is a problem. It may not be a good idea if you wish to keep your IP addresses hidden from recipients, as Microsoft Office 365 webmail exposes IP addresses to the recipients while sending out emails. This is because, while sending out emails using Office 365 webmail, your local IP address will be injected into the message as an extra mail header.
When sending out emails via Office 365 webmail, the service will inject an additional header into the email called “x-originating-ip” that contains the IP addresses of the sender. The additional header looks something like the example given below.
“authentication-results: spf=none (sender IP is )
smtp.mailfrom=test@example.com
x-originating-ip: [23.xx.xx.xx]
x-ms-publictraffictype: Email”
Bleeping Computer tested the webmail interfaces for Gmail, Yahoo, AOL, Outlook.com, and Microsoft Office 365, and found out that only Office 365 injected users’ local IP address while using the webmail.
If you do not want your IP address to be exposed while using Office 365’s webmail interface, then you have to connect to the webmail using a VPN or Tor. This will cause the services’ IP address to be injected into the email rather than the users’ local one.
Microsoft removed this “ x-originating-ip” header field in 2013 from Hotmail for security and privacy reasons. However, this header has been intentionally left in Office 365 for enterprise, so that admins can search for email that has been sent to their organization from a particular IP address. This header also helps in security and auditing purposes, as well as for finding the location of a sender in the event an account being hacked.
Nevertheless, admins who do not want this header can remove it by creating a new rule in the Exchange admin center.
This privacy breach happens only with Office 365 webmail. Other services like Yahoo, Gmail, or even Outlook.com do not seem to be affected.