The fight against email spam is an on-going battle for mail administrators and while cluttering up a mailbox with junk mail is undesirable, phishing campaigns can be a serious security issue. Those with malicious intent are highly motivated and their practices have evolved over the years; fortunately, the technologies available to protect against such attempts have equally improved.
There are several technologies that can help your organization validate that an email has been sent from an authorized source. Office 365 expanded its support for some of these technologies earlier this year however it seems like these features get very little talk.
You’ve likely heard of SPF but what about DKIM and DMARC? Should you be implementing these?
Part 1 of this series provided a summary of these technologies and discussed how each builds on one another.
In Part 2 below, I’ll get into the actual configuration in Exchange Online and some of the things you’ll want to watch for.
The SPF record is created as a DNS “TXT” record within the root of your DNS zone. If you’re using Exchange Online, Microsoft provides a starting point of the value for your SPF but it will likely need to be customized.
The default value listed in your tenant will be:
v=spf1 include:spf.protection.outlook.com -all
This value will work if you’re only sending messages out of Exchange Online and have no on-premises infrastructure relaying messages. If you have other systems sending mail, you’ll want to make sure that you include these sources in your SPF record.
Common issues I see with SPF records are organizations that try to add more than one TXT record, add too many (>10) DNS queries within their SPF record or just have an improper syntax. There are a number of sites that can validate your SPF record including MxToolbox.
Configuring DKIM signing in Exchange Online is relatively simple. You essentially need to create two DNS records and run three PowerShell commands for each of your SMTP domains.
First we need to determine the appropriate values for the DNS records. In the tenant, run the following command for each of your SMTP domains:
New-DkimSigningConfig -DomainName company.com -Enabled $False