Office 365 – SPF, DKIM and DMARC in Exchange Online

Office 365 – SPF, DKIM and DMARC in Exchange Online

The fight against email spam is an on-going battle for mail administrators and while cluttering up a mailbox with junk mail is undesirable, phishing campaigns can be a serious security issue. Ensuring that your company is protected against these threats can be a daunting task and with multiple policies to manage, this can become a time-consuming process. Office 365 helps to simplify these tasks and by using a combination of protocols, such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and DMARC, has been helping customers fend off these threats for over a decade. Spam foiling features in Office 365 provide protection against spam email messages. Microsoft uses an anti-spam technique called the Sender Policy Framework (SPF). To help ensure that emails your organization sends are not marked as spam, you need to configure the SPF record in the domain's DNS zone. For you, this means that Office 365 has more choices than any other email services to effectively protect against email-based threats.


The most effective of these is the new SPF protection, which allows you to reject mail from any offending IP address. On top of this, we have now brought protection from spoofed incoming email addresses with Domain Keys Identified Mail (DKIM) and domain-like security mechanisms to harden your outbound mail as well as the ability to monitor incoming mail for suspicious activity as well as identify it as such with Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Protecting an organization's communication reputation is very important. Thus, organizations require a comprehensive and well-architected solution to manage the reputation of their communications. Today, some of these email authentication technologies are used more commonly than others.


SPF (Sender Policy Framework) is typically used by individuals and small enterprises while DKIM (Domain Keys Identified Mail) is commonly found in medium to large enterprises. Organizations usually implement both technologies. The Office 365 service has supported SPF and DKIM for a number of years but only recently added support for the DMARC, or Domain-based Message Authentication, Reporting and Conformance standard using Exchange Online Protection. This blog will highlight each technology and describe how you can implement them in your organization.


You’ve likely heard of SPF but what about DKIM and DMARC? Should you be implementing these?


Part 1 of this series will summarize these technologies and discuss how each builds on one another. Part 2 will get into the actual configuration in Exchange Online and some of the things you’ll want to watch for.


In the article below, I’ll provide an overview of what the three technologies are, how they provide different types of protection and how they can work together.


SPF (Sender Policy Framework)


SPF (Sender Policy Framework) is an open-source framework for implementing Sender Policy Framework (SPF) DNS records, essentially creating a whitelist of authorized senders. SPF can be used to prevent sender address forgery, combat email spam and protect against phishing attacks. There are several mechanisms in which you could implement SPF. Implementing SPF on your domain is a great way to prevent spoofing of a user’s email address.


Any reputable mail transfer agent (MTA) will check for a valid SPF record when receiving an email so if the sending IP does not match what’s defined in the SPF record, the message will be rejected. Microsoft has provided the information for our SPF record. But you may need to make some changes if you are using third-party software to send mail on your behalf. There are some important limitations on the number of DNS queries you can have in your SPF record, so you should always validate your record with one of the link validation tools before publishing it to production.


What Does It Protect?


SPF looks as the “Mail From” field within an email and compares the sending IP address to the published TXT record for that domain. Important to understand here is that the “Mail From” field can contain a different value than the “From” or “Reply To” fields. This is how some phishing emails can enter your organization as they will have a valid SPF published for the “Mail From” and then present the user with a different email in the “From” field.


DKIM (DomainKeys Identified Mail)


DKIM uses a public/private key to sign messages as opposed to the published TXT record. One advantage of DKIM over SPF is there is no limit to the number of partners you can authorize to send on your behalf (assuming they support DKIM).If you are using external senders in your e-mail then you will probably need to publish SPF records for each domain that is sending on your behalf. A new protocol called DKIM was developed to allow signing of messages in a way that is compatible with existing SPF implementations.

It achieves the same goals of the original SPF in terms of preventing message forgery, but does it using a private/public key system rather than DNS TXT entries. DKIM is a technology to help with authorization and authentication of email recipients. DKIM offers an alternative way to handle situations where you want someone other than your domain name to handle incoming mail and so you cannot use SPF.


DKIM works by adding a cryptographic signature to each outbound message. The message is signed with a private key published in the DNS along with a public key. A receiving system then performs the same operation on the incoming message as the sender's system used to create the outgoing message and if it matches, then the message is assumed to be trustworthy and not spam.


What Does It Protect?


When users read your email, they expect to see the “From” address you use in your email correspondence. The DomainKeys Identified Mail (DKIM) protocol is a cryptographic authentication system for emails. DKIM adds a digital signature to the header of an email message. The intended recipient can verify the authenticity of an email by retrieving the original sender’s public key from a trusted third-party. Validating this digital signature ensures that your phishing message will not be delivered to the intended recipient’s inbox.


What is DMARC?


The Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol helps email receivers protect against phishing and other email-based attacks by relying on DKIM to verify that incoming mail is authentic. It allows senders to take actions on messages they receive, such as rejecting them as spam or rejecting them outright. DMARC can also provide aggregate statistics about the health of an organization's email ecosystem. DMARC (Domain-based Message Authentication, Reporting & Conformance) helps you protect your email by preventing spoofing of your domain in the “Mail From” field.


It provides a standard reporting format for senders and receivers of email to exchange DMARC information. When properly configured, it gives you a way to tell recipient mail servers what to do with messages that fail this alignment check. It is an email authentication method that strengthens your existing SPF and DKIM policies. DMARC uses a Domain Name System (DNS) record to tell receiving email servers about your email authentication preferences.


Source :-https://atozcybersecurity.blogspot.com/2021/09/office-365-spf-dkim-and-dmarc-in.html


Published by Ariya Rathi

Comments

Reply heres...

Login / Sign up for adding comments.