A little app that takes the mangled URLs generated by Microsoft 365’s Safelinks link checking service and decodes them to recover the original target.
Just pop the Safelinks redirect URL in this widget and press enter or click the button. Then copy the retrieved URL and use it wherever you need it.
Before you use this
- Do you trust this domain?
- Think very carefully about where your email came from and whether or not you trust the sender
- Check for common signals like typo squatting
What data do we store?
None. Any URL you paste here is dealt with entirely in your browser. No data is sent to our server, or to analytics.
We don’t know what you do when you’re here. You can view the javascript that does this by viewing the source of this page.
Why create this?
We use Microsoft 365, so links in all the emails we receive are passed through a link-checking service called Safelinks to check that the endpoint is not malicious. Which is great, but …
In the process, link URLs are transformed into something like this:
http://safelinks.protection.outlook.com/?url=https%3A%2F%2Fdesign.scotentblog.co.uk%2Fsafelinks-original-url-decoder&data=05%7C01%7Cxxxxx.xxxxxx%40scotent.co.uk%7C014af0a3586b4b6935e608da39ca8a1c%7C50374495fdde4d04bc5c574982680e19%7C0%7C0%7C637885839322117164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oQY%2BD%2FHdElO%2BsWIKPxSh%2FCZhqVnOlqnemz9ocQlkDGY%3D&reserved=0
Content authors are often under great time pressure to publish, and will simply copy links from an email to publish on the web. This can be problematic, because:
- Safelinks redirects may not work for everyone
- The URLs are too long for some older browsers to handle
- They are not human-readable, so hide the ultimate destination
- They mess with analytics data
- They are served over http, not https, so
- potentially vulnerable to interception
- could harm search ranking if we have too many links to insecure resources
- If you look closely, there’s an email address in there (I’ve changed it to xxxxx.xxxxxx@ in the example) which is going to be available for anyone on the web to harvest
So, on the web, it’s best to decode Safelinks URLs and use the original target for your hrefs instead.
I'm a service designer in Scottish Enterprise's unsurprisingly-named service design team. I've been a content designer, editor, UX designer and giant haystacks developer on the web for (gulp) over 25 years.
Terence Eden has published a blog post outlining another potential problem with using these redirects: if Microsoft ever closes the service, or changes (for example) the subdomains used, millions of links on the web will be instantly broken.
https://shkspr.mobi/blog/2024/02/safelinks-are-a-fragile-foundation-for-publishing/