Give us a call: 877-788-1617

Live Chat: Offline

Stay in the know with the MessageOps newsletter:

Email Spoofing: Best Practices for Prevention in your Office 365 Environment

The more malicious varieties of email spoofing can cause serious problems and pose security risks; minimize email spoofing in your Office 365 tenant with these features

Office 365 offers multiple different services to aid with  email spoofing and phishing emails in your tenant. I will be highlighting three specific services below. It is highly recommended to setup these services to cut down on unwanted emails and internal emails being flagged as spam internally and externally.

Sender Policy Framework (SPF)

An SPF is a TXT record that is manually added to your DNS record. A SPF record is used to identify your mail server as a safe sender. When someone receives an email from you, their mail server will check back to that DNS entry to confirm that the individual is safe. It is possible that without this validation the recipient’s settings may outright flag the message as unsecure.

So how do you add a SPF record for your custom domain?

With an administrator logged into your DNS they will want to add a new TXT record. The TXT can be written multiple ways, but the most common scenario is that you are fully hosted in Office 365. If that is the case, you will want to add the following:

v=spf1 include:spf.protection.outlook.com -all

If you are setup in a hybrid scenario there is more information that the record will require. For example, you will need the IP addresses for all on-premise message servers, as well as any third-party domains that need to be included. Microsoft provides a handy chart that lists the additional syntax’s you will need for your record.

email spoofing

 

DomainKeys Identified Mail (DKIM)

In conjunction with setting up your SPF record, you should also be using DKIM. This is another service that assists in helping to prevent spoofers from sending emails that appear to be coming from your domain. The main idea behind DKIM is that your email headers are encrypted by a private key that is published in your DNS record. When the recipient receives your email, it calls back to your DNS record to confirm it can decode that key. If confirmed it means that the email did legitimately come from your domain, thus being marked safe.

So how do I setup DKIM?

DKIM will actually already be setup for your original Office 365 domain (.onmicrosoft.com), but any custom domains will need to be added manually to your DNS record and then enabled in the Exchange Admin Center. For your custom domains, you will need to setup two CNAME records for each custom domain.

Here is the format for the CNAME records:

Host Name:                                    selector1._domainkey.<domain>

Points to address or value:          selector1-<domainGUID>._domainkey.<initialDomain>

TTL:                                                  3600

 

Host Name:                                    selector2._domainkey.<domain>

Points to address or value:          selector2-<domainGUID>._domainkey.<initialDomain>

TTL:                                                  3600

 

The domainGUID will need to be the same as the domainGUID in your MX record for that custom domain. It will appear before mail.protection.outlook.com.

 

Example: You have an initial domain of contoso.onmicrosoft.com, and a custom domain of contosotech.com.

 

Host Name:                                    selector1._domainkey.contosotech.com

Points to address or value:          selector1-contosotech-com._domainkey.contoso.onmicrosoft.com

TTL:                                                  3600

 

Host Name:                                    selector2._domainkey. contosotech.com

Points to address or value:          selector2- contosotech-com._domainkey.contoso.onmicrosoft.com

TTL:                                                  3600

Once the CNAME records have been added to each custom domain, you will need to login into your Office 365 admin portal.

  • On the left-hand pane, click Admin Centers and then Exchange.

email spoofing

  • On the left-hand pane click Protection, then on the tab at the top, click DKIM.
    email spoofing
  • Select the domain and click Enable.

 

PowerShell command (alternate method):
New-DkimSigningConfig -DomainName us.csgazure.com -Enabled $true

Domain-based Message Authentication, Reporting and Conformance (DMARC)
 The final piece of the puzzle is DMARC which also authenticates the sender, and helps to ensure that messages from your domain are trusted at their destination. The main purpose of DMARC though is to set a policy that determines what to do with the mail if it fails its authentication with DKIM or SPF.

How do I setup DMARC?
Well DMARC is setup automatically by Office 365 for inbound mail, so there is no extra needed configuration on that end. For outbound mail, you will need to create the following TXT record and add it to your DNS record:

_dmarc.domain TTL IN TXT “v=DMARC1; pct=100; p=policy

Domain = Your custom domain name (ex. Contoso.com)

TTL = Should equal one hour (3600 seconds)

pct = If set to 100, the rule will be used for 100% of email

policy = The action that will be taken if DMARC fails.

This can be setup to none, quarantine, or reject

Example: _dmarc.contoso.com 3600 IN TXT “v=DMARC1; pct=100; p=quarantine

Once set it is best practice to oversee the impact the policy has on inbound mail. You can adjust the TXT record as necessary to accommodate your needs.

For more information regarding SPF, DKIM, and DMARC please read the following Microsoft articles:

https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

https://technet.microsoft.com/en-us/library/mt695945(v=exchg.150).aspx

https://technet.microsoft.com/en-us/library/mt734386(v=exchg.150).aspx

From Rob Vogl, Sr. Operations Specialist

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Categories

Ready to get started? Contact us today to learn more.

CONTACT US

Like resources like this?

Sign up to receive updates and alerts for FREE tools and resources.