Context
Microsoft migrated Outlook.com's Smart Network Data Service (SNDS) off the legacy sendersupport.olc.protection.outlook.com/snds/ URLs in June 2026 (old URLs deprecated 2026-06-22). The no_sdns_issues checker was hitting a dead URL that returned an HTML portal page, which the old "any non-empty body == problem" logic misread as an IP-reputation failure (false-positive LOW alert in #alerts-checkers-deliverability).
Immediate fix shipped: repointed the checker to the new key-based endpoint https://substrate.office.com/ip-domain-management-snds/SNDS/IpStatusKey?Key=... and rewrote the logic to interpret HTTP 404 = clean, 200 + application/octet-stream = flagged IPs, anything else = checker misconfigured. See app/mailgun_events/checkers/no_sdns_issues.py.
The remaining problem
The new automated-access keys expire 30 days after creation, and an expired key returns HTTP 404 — which is indistinguishable from a clean result. So roughly 30 days after each key is minted, the checker will:
- Get a 404
- Interpret it as "no abnormal IPs / clean"
- Go silently blind with no alert
This is worse than the original false positive: instead of crying wolf, it stops watching entirely. Re-keying requires a manual Microsoft login + the buggy "disable/re-enable auto access" dance (which itself currently errors with "There was a problem saving your changes" and needs an Edit-Profile-save workaround), then a code deploy to swap the hardcoded key.
Proposed fix
Migrate to the OAuth 2.0 REST API Microsoft now exposes, which has no expiring key:
- IP status:
GET https://substrate.office.com/ip-domain-management-snds/api/report/status/ip
- Daily data:
GET https://substrate.office.com/ip-domain-management-snds/api/report/data/{date?}/{ip?}
- Auth: Microsoft identity platform, auth-code flow
- Authorize:
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
- Token:
https://login.microsoftonline.com/consumers/oauth2/v2.0/token
- Consumer tenant id:
9188040d-6c67-4c5b-b112-36a304b66dad
- Client id (SNDS portal):
a53a6cc1-a1cd-46f7-a4aa-281cdabec33c
- Scope:
a53a6cc1-a1cd-46f7-a4aa-281cdabec33c/.default
Work: implement token acquisition + refresh against the consumer endpoint (a refresh token will need to be obtained once interactively and stored), then repoint the checker. Removes the 30-day re-keying treadmill and the silent-blindness failure mode.
Acceptance criteria
Context
Microsoft migrated Outlook.com's Smart Network Data Service (SNDS) off the legacy
sendersupport.olc.protection.outlook.com/snds/URLs in June 2026 (old URLs deprecated 2026-06-22). Theno_sdns_issueschecker was hitting a dead URL that returned an HTML portal page, which the old "any non-empty body == problem" logic misread as an IP-reputation failure (false-positive LOW alert in#alerts-checkers-deliverability).Immediate fix shipped: repointed the checker to the new key-based endpoint
https://substrate.office.com/ip-domain-management-snds/SNDS/IpStatusKey?Key=...and rewrote the logic to interpret HTTP 404 = clean, 200 +application/octet-stream= flagged IPs, anything else = checker misconfigured. Seeapp/mailgun_events/checkers/no_sdns_issues.py.The remaining problem
The new automated-access keys expire 30 days after creation, and an expired key returns HTTP 404 — which is indistinguishable from a clean result. So roughly 30 days after each key is minted, the checker will:
This is worse than the original false positive: instead of crying wolf, it stops watching entirely. Re-keying requires a manual Microsoft login + the buggy "disable/re-enable auto access" dance (which itself currently errors with "There was a problem saving your changes" and needs an Edit-Profile-save workaround), then a code deploy to swap the hardcoded key.
Proposed fix
Migrate to the OAuth 2.0 REST API Microsoft now exposes, which has no expiring key:
GET https://substrate.office.com/ip-domain-management-snds/api/report/status/ipGET https://substrate.office.com/ip-domain-management-snds/api/report/data/{date?}/{ip?}https://login.microsoftonline.com/consumers/oauth2/v2.0/authorizehttps://login.microsoftonline.com/consumers/oauth2/v2.0/token9188040d-6c67-4c5b-b112-36a304b66dada53a6cc1-a1cd-46f7-a4aa-281cdabec33ca53a6cc1-a1cd-46f7-a4aa-281cdabec33c/.defaultWork: implement token acquisition + refresh against the consumer endpoint (a refresh token will need to be obtained once interactively and stored), then repoint the checker. Removes the 30-day re-keying treadmill and the silent-blindness failure mode.
Acceptance criteria
/api/report/status/ip