Email Spoofing: Best Practices for Prevention in your Office 365 Environment
The more malicious varieties of email spoofing can cause serious problems and pose security risks; minimize email spoofing in your Office 365 tenant with these features
Office 365 offers multiple different services to aid with email spoofing and phishing emails in your tenant. I will be highlighting three specific services below. It is highly recommended to setup these services to cut down on unwanted emails and internal emails being flagged as spam internally and externally.
Sender Policy Framework (SPF)
An SPF is a TXT record that is manually added to your DNS record. A SPF record is used to identify your mail server as a safe sender. When someone receives an email from you, their mail server will check back to that DNS entry to confirm that the individual is safe. It is possible that without this validation the recipient’s settings may outright flag the message as unsecure.
So how do you add a SPF record for your custom domain?
With an administrator logged into your DNS they will want to add a new TXT record. The TXT can be written multiple ways, but the most common scenario is that you are fully hosted in Office 365. If that is the case, you will want to add the following:
v=spf1 include:spf.protection.outlook.com -all
If you are setup in a hybrid scenario there is more information that the record will require. For example, you will need the IP addresses for all on-premise message servers, as well as any third-party domains that need to be included. Microsoft provides a handy chart that lists the additional syntax’s you will need for your record.
DomainKeys Identified Mail (DKIM)
In conjunction with setting up your SPF record, you should also be using DKIM. This is another service that assists in helping to prevent spoofers from sending emails that appear to be coming from your domain. The main idea behind DKIM is that your email headers are encrypted by a private key that is published in your DNS record. When the recipient receives your email, it calls back to your DNS record to confirm it can decode that key. If confirmed it means that the email did legitimately come from your domain, thus being marked safe.
So how do I setup DKIM?
DKIM will actually already be setup for your original Office 365 domain (.onmicrosoft.com), but any custom domains will need to be added manually to your DNS record and then enabled in the Exchange Admin Center. For your custom domains, you will need to setup two CNAME records for each custom domain.
Here is the format for the CNAME records:
Host Name: selector1._domainkey.<domain>
Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain>
Host Name: selector2._domainkey.<domain>
Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain>
The domainGUID will need to be the same as the domainGUID in your MX record for that custom domain. It will appear before mail.protection.outlook.com.
Example: You have an initial domain of contoso.onmicrosoft.com, and a custom domain of contosotech.com.
Host Name: selector1._domainkey.contosotech.com
Points to address or value: selector1-contosotech-com._domainkey.contoso.onmicrosoft.com
Host Name: selector2._domainkey. contosotech.com
Points to address or value: selector2- contosotech-com._domainkey.contoso.onmicrosoft.com
Once the CNAME records have been added to each custom domain, you will need to login into your Office 365 admin portal.
- On the left-hand pane, click Admin Centers and then Exchange.
- On the left-hand pane click Protection, then on the tab at the top, click DKIM.
- Select the domain and click Enable.
PowerShell command (alternate method):
New-DkimSigningConfig -DomainName us.csgazure.com -Enabled $true
Domain-based Message Authentication, Reporting and Conformance (DMARC)
The final piece of the puzzle is DMARC which also authenticates the sender, and helps to ensure that messages from your domain are trusted at their destination. The main purpose of DMARC though is to set a policy that determines what to do with the mail if it fails its authentication with DKIM or SPF.
How do I setup DMARC?
Well DMARC is setup automatically by Office 365 for inbound mail, so there is no extra needed configuration on that end. For outbound mail, you will need to create the following TXT record and add it to your DNS record:
_dmarc.domain TTL IN TXT “v=DMARC1; pct=100; p=policy
Domain = Your custom domain name (ex. Contoso.com)
TTL = Should equal one hour (3600 seconds)
pct = If set to 100, the rule will be used for 100% of email
policy = The action that will be taken if DMARC fails.
This can be setup to none, quarantine, or reject
Example: _dmarc.contoso.com 3600 IN TXT “v=DMARC1; pct=100; p=quarantine
Once set it is best practice to oversee the impact the policy has on inbound mail. You can adjust the TXT record as necessary to accommodate your needs.
For more information regarding SPF, DKIM, and DMARC please read the following Microsoft articles:
From Rob Vogl, Sr. Operations Specialist