Email security has been a ‘thing’ now for quite a while. Try sending email from unsecured domains and you’ll get a lot of rejection letters.
If you have Office 365 and you’re actively using Exchange online then with just a few steps you can secure your mail properly.
Set up SPF
SPF is Sender Policy Framework and it basically tells the Internet where email from your domain is legitimately sent from. When a receiving MTA does a check it sees the IP your email originated from then compares that to the SPF record in your DNS Zone. If the IP or FQDN or MX doesn’t match – your mail could be blocked.
Setting up SPF is simple and Microsoft gives you what you need right in the tenant.
- Log in to your Tenant as a Global Administrator
- Open Settings – Domains
- Select your primary domain (the one you mail from)
- Click on DNS
- Copy/paste the TXT record for SPF to Notepad
Note – if you have an email sender on your domain that is not sending through Office 365 you need to update the record to reflect that source.
Typical SPF record: “v=spf1 include:spf.protection.outlook.com -all”
Here’s an SPF where you’ve added another source location for email: “v=spf1 ip4:208.191.17.213 include:spf.protection.outlook.com -all” where 208.191.17.213 is the public IP of your office where you have a photocopier that sends email
Set up DKIM
DKIM is a bit harder to understand. Domain Keys Identified Mail is a domain-level digital signature authentication framework that basically validates the DNS source against a signature from the MTA to validate the authenticity of the mail. Primarily this is to prevent spoofing, where an outside source sends mail through the MTA (Message Transfer Agent) designed to look like it came from your domain. DKIM adds headers to every outbound email that are checked against the DNS servers for your domain to validate the source which can be checked against the recipient MTA.
In this way both the MTA is validating against SPF and DKIM to verify the authenticity of the source of the email. By the way, both are required to set up DMARC which we’ll get to in a bit.
Setting up DKIM is actually fairly simple.
Let’s say the domain registered in your MS Tenant is gotmilk.ca.
Crack open your PowerShell and connect to Exchange Online
connect-exchangeonline
Run a simple command to pull the DKIM records you’ll need:
get-dkimsigningconfig -identity gotmilk.ca | select domain,selector*CNAME
You’ll get a result that looks like this:
Domain Selector1CNAME Selector2CNAME
—— ————– ————–
gotmilk.ca selector1-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com selector2-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com
Copy/Paste the results to the Notepad document where you put your SPF record
Update DNS
Now it’s time to update your DNS Zone records. We’ll continue to use gotmilk.ca for our examples. Go to your DNS server and create the following records:
@ (domain root) TXT “v=spf1 include:spf.protection.outlook.com -all”
selector1._domainkey.gotmilk.ca CNAME gotmilk.ca selector1-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com
selector2._domainkey.gotmilk.ca CNAME selector2-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com
While you’re there create the DMARC record
_dmarc.gotmilk.ca TXT “v=DMARC1; pct=100; p=quarantine”
Office 365
Time to complete the setup in Office 365.
- Log in to your Exchange Admin Center and go to protection –> DKIM
- Highlight the domain gotmilk.ca and click on Enable in the action pane on the right
- If the two CNAME records you created above have propagated DKIM should enable successfully on the domain
- Click on Rotate
- Open the Spam Filter and double click on the Default policy
- Open Advanced Options
- Enable two options:
- SPF record: hard fail
- Conditional Sender ID filtering: hard fail
That’s it! SPF, DKIM, and DMARC are now enabled and protecting your domain from general maliciousness.
DMARC has a number of additional options you can enable in the form of tags:
Declared tags
| Tag | Value | Description |
|---|---|---|
| v | DKIM1 | DKIM protocol version. |
| p | MIGfMA0GCSqGSIb3DQEBAQUAA… | Your base64 encoded public key. |
| k | rsa | The ‘k=’ tag provide a list of mechanisms that can be used to decode a DKIM signature. (‘rsa’ is used most often) |
Defaulted tags
| Tag | Value | Description |
|---|---|---|
| g | * | Some organizations assign specific business functions to discrete groups, inside or outside the organization. This key is to authorize that group to sign some mail, but to constrain what signatures they can generate. The DKIM granularity (the ‘g=’ tag) facilitate this kind of restricted authorization. |
| h | The ‘h=’ tag provide a list of mechanisms that can be used to produce a digest of message data. (‘sha1’ or ‘sha256’ can be used). | |
| n | Notes that might be of interest to a human. | |
| s | * | The ‘s=’ provides a list of service types to which this selector may apply. (‘*’ and ’email’ are used most often) |
| t | The ‘t=’ tag provides a list of flags to modify interpretation of the selector. These DKIM Selector Flags for additional flags are optional. (‘y’ and ‘s’ are often used) | |
| q | The ‘q=’ tag-spec provides for a list of query methods. (‘dns’ is used most often) | |
| l | 0 | Body length limits (in the form of the ‘l=’ tag) are subject to several potential attacks. |
