SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain based Message Authentication, Reporting and Conformance) are used to check email messages. In combination, the three procedures achieve a high level of security with regard to the authenticity of the sender and content of an email.
This guide sets up SPF, DKIM and DMARC for Exchange Online.
Prerequisites and Licensing
The following requirements for the configuration of SPF, DKIM and DMARC must be met:
- own maildomain
- Administrative access to the public DNS of the mail domain
- A Microsoft 365 licence plan that includes Exchange Online
An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com.
SPF (Sender Policy Framework)
SPF determines which IP addresses are allowed to send emails for a domain. In practice, these are often IP addresses of web and mail servers. The receiving mail server uses the SPF record in the DNS to check whether the sending mail server is authorised to send emails for the domain. If there is no authorisation, the email will be marked as spam or rejected (depending on the configuration of SPF).
The SPF record is predefined and checked when the domain is activated in Microsoft 365. SPF is therefore already activated and no further tasks are required.
The default SPF record rejects all emails that are not authorised. (v=spf1 include:spf.protection.outlook.com -all).
Microsoft 365 admin center (https://admin.microsoft.com) > Settings > Domains > Select Domain > DNS records
Check SPF
The SPF record can be checked on MXToolbox.
- Open MXToolbox SuperTool
- Enter mail domain
- Select SPF Record Lookup
All checks must be passed.
DKIM (Domain Keys Identified Mail)
DKIM digitally signs the mail with the private key. The receiving server decrypts this digital signature with the public key. This ensures that the email was actually sent from an authorised server and that the content of the email was not modified.
DKIM is configured via the Microsoft 365 Security Portal.
https://security.microsoft.com > Email & collaboration > Policies & rules > Threat policies > Email authentication settings
- Select DKIM
- Choose domain
No DKIM keys have been created yet for the selected domain. To do this, click on Create DKIM Keys.
After the DKIM keys have been created, the necessary CNAME records are shown. Two CNAME records are required in the DNS:
selector1._domainkey
selector2._domainkey
After the new CNAME records have been propagated worldwide via the DNS, DKIM can be activated for the domain in Microsoft 365. Check the propagation with dnschecker.org.
https://security.microsoft.com > Email & collaboration > Policies & rules > Threat policies > Email authentication settings > Choose Domain > activate Toggle
Microsoft 365 now checks the necessary CNAME records in the DNS and then activates DKIM.
Check DKIM
The website https://dkimvalidator.com/ provides a free tool for checking DKIM. To take the validation, send an email. Open https://dkimvalidator.com/, the randomly generated recipient address for the validation of the own DKIM configuration is shown.
A few minutes after sending the email, go to dkimvalidator.com and start checking the DKIM configuration with View Results.
The validation must be successfully passed.
DKIM Signature
result = pass
DMARC (Domain based Message Authentication, Reporting and Conformance)
DMARC specifies how to deal with mails that do not meet the requirements for SPF or DKIM. A domain owner can use this to monitor the emails of his domain and ensure that an email message actually originates from the specified domain. The configuration and activation of DMARC is done with a TXT record in the DNS.
The DMARC Generator from MXToolbox creates the TXT record for the DNS of the domain.
- Go to https://mxtoolbox.com/dmarcrecordgenerator.aspx
- Enter the domain name
The following options for DMARC can be choosen to your own needs.
- None
This is the observation mode. Emails are monitored and reports are generated. The server does not reject emails or move them to the spam folder. This is the recommended setting to start with DMARC.
Quarantine
Emails that have not passed the SPF or DKIM check are moved to the quarantine.
This setting can also affect legitimate emails and place them in quarantine (False/Positive). Specifying a percentage defines what this ratio is. Without the parameter p= DMARC will quarantine 100% of the emails that do not pass the quarantine check. In best practice, a value of 10% is recommended.
Reject
The mail server rejects emails that have not passed the SPF or DKIM check.
Through this setting, legitimate emails can also be affected and rejected (False/Positive). Specifying a percentage defines what this ratio is. Without the parameter p=, DMARC will reject 100% of the emails that do not pass the check. In best practice, a value of 10% is recommended. As a result, 90% of the emails that do not pass the check are quarantined and 10% are rejected by server when they are received. - Email address to which DMARC reports with RUA information are sent.
RUA are reports with information about emails that have passed SPF, DKIM and DMARC checks and which have not. - Email address to which DMARC reports with RUF information are sent.
RUF reports are similar to RUA. The reports also contain information about the SPF, DKIM and DMARC checks, but with detailed diagnostic information. This is useful in remediation of the source problem.
The generator now shows the required DNS Recrod. This value must be published as TXT Record.
Check DMARC
The website https://www.dmarctester.com/ checks DMARC automatically. After sending an email to a randomly generated email address, testing starts automatically.
The complete DMARC check starts automatically.
The test proceeds in the following steps:
- SPF Record check
- DKIM check
- DMARC check
The checks are considered successfully completed if DMARC Result PASS is shown at the end.
Analyze DMARC Report
Analyze report manually
Mail providers regularly send DMARC reports to the specified email address in the DNS record.
The reports in XML format can be analyzed via MXToolbox.
- Open https://mxtoolbox.com/DmarcReportAnalyzer.aspx
- Upload XML Report
Based on the report, further steps can now be taken to secure the domain’s email communication.
Another free alternative for the analyze of DMARC reports is DMARC Analyzer – DMARC Advisor.
Analyze report automatically
For those who would like to have the DMARC reports further automated, a visit to https://www.valimail.com/ is recommended.
Recurring tasks and best practices
Rotate DKIM keys
DKIM keys should be rotated regularly to reduce the risk of them being compromised. Rotation of DKIM keys is recommended after the following events:
- Lifetime of the current DKIM key is longer than 6 months
- a cyber attack was launched out on the domain
- following a data breach
The rotation of the DKIM key in Microsoft 365 is done with little effort:
https://security.microsoft.com > Email & collaboration > Policies & rules > Threat policies > Email authentication settings
- Select DKIM
- Choose domain
Click Rotate DKIM keys
While the DKIM keys are being rotated, the status Rotating keys for this domain and signing DKIM signatures appears
After 96 hours (4 days), the new DKIM key will begin signing outgoing messages for the custom domain. Until then, the current DKIM key remains in use.
Follow me on LinkedIn to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!