SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain based Message Authentication, Reporting and Conformance) are used to check email messages. In combination, the three procedures achieve a high level of security with regard to the authenticity of the sender and content of an email.

This guide sets up SPF, DKIM and DMARC for Exchange Online.

Prerequisites and Licensing

The following requirements for the configuration of SPF, DKIM and DMARC must be met:

  1. own maildomain
  2. Administrative access to the public DNS of the mail domain
  3. A Microsoft 365 licence plan that includes Exchange Online

An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com.

SPF (Sender Policy Framework)

SPF determines which IP addresses are allowed to send emails for a domain. In practice, these are often IP addresses of web and mail servers. The receiving mail server uses the SPF record in the DNS to check whether the sending mail server is authorised to send emails for the domain. If there is no authorisation, the email will be marked as spam or rejected (depending on the configuration of SPF).

The SPF record is predefined and checked when the domain is activated in Microsoft 365. SPF is therefore already activated and no further tasks are required.
The default SPF record rejects all emails that are not authorised. (v=spf1 include:spf.protection.outlook.com -all).

Microsoft 365 admin center (https://admin.microsoft.com) > Settings > Domains > Select Domain > DNS records

Check SPF

The SPF record can be checked on MXToolbox.

  1. Open MXToolbox SuperTool
  2. Enter mail domain
  3. Select SPF Record Lookup

All checks must be passed.

DKIM (Domain Keys Identified Mail)

DKIM digitally signs the mail with the private key. The receiving server decrypts this digital signature with the public key. This ensures that the email was actually sent from an authorised server and that the content of the email was not modified.

DKIM is configured via the Microsoft 365 Security Portal.
https://security.microsoft.com > Email & collaboration > Policies & rules > Threat policies > Email authentication settings

  1. Select DKIM
  2. Choose domain

No DKIM keys have been created yet for the selected domain. To do this, click on Create DKIM Keys.

After the DKIM keys have been created, the necessary CNAME records are shown. Two CNAME records are required in the DNS:

selector1._domainkey
selector2._domainkey

After the new CNAME records have been propagated worldwide via the DNS, DKIM can be activated for the domain in Microsoft 365. Check the propagation with dnschecker.org.

https://security.microsoft.com > Email & collaboration > Policies & rules > Threat policies > Email authentication settings > Choose Domain > activate Toggle

Microsoft 365 now checks the necessary CNAME records in the DNS and then activates DKIM.

Check DKIM

The website https://dkimvalidator.com/ provides a free tool for checking DKIM. To take the validation, send an email. Open https://dkimvalidator.com/, the randomly generated recipient address for the validation of the own DKIM configuration is shown.

A few minutes after sending the email, go to dkimvalidator.com and start checking the DKIM configuration with View Results.

The validation must be successfully passed.

DKIM Signature
result = pass

DMARC (Domain based Message Authentication, Reporting and Conformance)

DMARC specifies how to deal with mails that do not meet the requirements for SPF or DKIM. A domain owner can use this to monitor the emails of his domain and ensure that an email message actually originates from the specified domain. The configuration and activation of DMARC is done with a TXT record in the DNS.

The DMARC Generator from MXToolbox creates the TXT record for the DNS of the domain.

  1. Go to https://mxtoolbox.com/dmarcrecordgenerator.aspx
  2. Enter the domain name

The following options for DMARC can be choosen to your own needs.

  1. None
    This is the observation mode. Emails are monitored and reports are generated. The server does not reject emails or move them to the spam folder. This is the recommended setting to start with DMARC.

    Quarantine
    Emails that have not passed the SPF or DKIM check are moved to the quarantine.
    This setting can also affect legitimate emails and place them in quarantine (False/Positive). Specifying a percentage defines what this ratio is. Without the parameter p= DMARC will quarantine 100% of the emails that do not pass the quarantine check. In best practice, a value of 10% is recommended.

    Reject
    The mail server rejects emails that have not passed the SPF or DKIM check.
    Through this setting, legitimate emails can also be affected and rejected (False/Positive). Specifying a percentage defines what this ratio is. Without the parameter p=, DMARC will reject 100% of the emails that do not pass the check. In best practice, a value of 10% is recommended. As a result, 90% of the emails that do not pass the check are quarantined and 10% are rejected by server when they are received.
  2. Email address to which DMARC reports with RUA information are sent.
    RUA are reports with information about emails that have passed SPF, DKIM and DMARC checks and which have not.
  3. Email address to which DMARC reports with RUF information are sent.
    RUF reports are similar to RUA. The reports also contain information about the SPF, DKIM and DMARC checks, but with detailed diagnostic information. This is useful in remediation of the source problem.

The generator now shows the required DNS Recrod. This value must be published as TXT Record.

Check DMARC

The website https://www.dmarctester.com/ checks DMARC automatically. After sending an email to a randomly generated email address, testing starts automatically.

The complete DMARC check starts automatically.
The test proceeds in the following steps:

  1. SPF Record check
  2. DKIM check
  3. DMARC check

The checks are considered successfully completed if DMARC Result PASS is shown at the end.

Analyze DMARC Report

Analyze report manually

Mail providers regularly send DMARC reports to the specified email address in the DNS record.
The reports in XML format can be analyzed via MXToolbox.

  1. Open https://mxtoolbox.com/DmarcReportAnalyzer.aspx
  2. Upload XML Report

Based on the report, further steps can now be taken to secure the domain’s email communication.

Another free alternative for the analyze of DMARC reports is DMARC Analyzer – DMARC Advisor.

Analyze report automatically

For those who would like to have the DMARC reports further automated, a visit to https://www.valimail.com/ is recommended.

Recurring tasks and best practices

Rotate DKIM keys

DKIM keys should be rotated regularly to reduce the risk of them being compromised. Rotation of DKIM keys is recommended after the following events:

  • Lifetime of the current DKIM key is longer than 6 months
  • a cyber attack was launched out on the domain
  • following a data breach

The rotation of the DKIM key in Microsoft 365 is done with little effort:

https://security.microsoft.com > Email & collaboration > Policies & rules > Threat policies > Email authentication settings

  1. Select DKIM
  2. Choose domain

Click Rotate DKIM keys

While the DKIM keys are being rotated, the status Rotating keys for this domain and signing DKIM signatures appears

After 96 hours (4 days), the new DKIM key will begin signing outgoing messages for the custom domain. Until then, the current DKIM key remains in use.


Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee