Magic links don’t work when Outlook “safe links” are enabled

Description

Outlook will rewrite email links to direct them towards https://*.safelinks.protection.outlook.com/ with the original url encoded as a query parameter, when a feature named “safe links” is enabled. In our testing, this appears to break magic links.

Steps to reproduce

Steps to reproduce the behavior:

  1. Create an email account on outlook.com
  2. Register a user with the @outlook.com (or @hotmail.com) email address
  3. Ask for a magic link to be delivered to the outlook email address
  4. Click the link

Additional context

The “safe-links” feature can be turned off (see the last screenshot). If we do, then the magic links work as expected.

We have two hypothesis as to what might be causing this:
a) The passwordless code is somehow distorted as it is URL path encoded and decoded by the safe-links mechanism.
b) The safe-links mechanism makes a GET request to the magic link, thus using the code and making it invalid for future requests.

1 Like