Skip to content

Migrate SNDS checker to OAuth REST API (key-based URL expires every 30 days) #197

Description

@jmduke

Context

Microsoft migrated Outlook.com's Smart Network Data Service (SNDS) off the legacy sendersupport.olc.protection.outlook.com/snds/ URLs in June 2026 (old URLs deprecated 2026-06-22). The no_sdns_issues checker was hitting a dead URL that returned an HTML portal page, which the old "any non-empty body == problem" logic misread as an IP-reputation failure (false-positive LOW alert in #alerts-checkers-deliverability).

Immediate fix shipped: repointed the checker to the new key-based endpoint https://substrate.office.com/ip-domain-management-snds/SNDS/IpStatusKey?Key=... and rewrote the logic to interpret HTTP 404 = clean, 200 + application/octet-stream = flagged IPs, anything else = checker misconfigured. See app/mailgun_events/checkers/no_sdns_issues.py.

The remaining problem

The new automated-access keys expire 30 days after creation, and an expired key returns HTTP 404 — which is indistinguishable from a clean result. So roughly 30 days after each key is minted, the checker will:

  1. Get a 404
  2. Interpret it as "no abnormal IPs / clean"
  3. Go silently blind with no alert

This is worse than the original false positive: instead of crying wolf, it stops watching entirely. Re-keying requires a manual Microsoft login + the buggy "disable/re-enable auto access" dance (which itself currently errors with "There was a problem saving your changes" and needs an Edit-Profile-save workaround), then a code deploy to swap the hardcoded key.

Proposed fix

Migrate to the OAuth 2.0 REST API Microsoft now exposes, which has no expiring key:

  • IP status: GET https://substrate.office.com/ip-domain-management-snds/api/report/status/ip
  • Daily data: GET https://substrate.office.com/ip-domain-management-snds/api/report/data/{date?}/{ip?}
  • Auth: Microsoft identity platform, auth-code flow
    • Authorize: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
    • Token: https://login.microsoftonline.com/consumers/oauth2/v2.0/token
    • Consumer tenant id: 9188040d-6c67-4c5b-b112-36a304b66dad
    • Client id (SNDS portal): a53a6cc1-a1cd-46f7-a4aa-281cdabec33c
    • Scope: a53a6cc1-a1cd-46f7-a4aa-281cdabec33c/.default

Work: implement token acquisition + refresh against the consumer endpoint (a refresh token will need to be obtained once interactively and stored), then repoint the checker. Removes the 30-day re-keying treadmill and the silent-blindness failure mode.

Acceptance criteria

  • Checker authenticates via OAuth and reads /api/report/status/ip
  • No hardcoded expiring key in source
  • Checker still distinguishes "clean" from "auth/endpoint broken" (don't let an auth failure read as clean)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions