Enhance Email Security : Complete Guide to Configuring SPF, DMARC and DKIM in Office 365

I - Introduction :

In today's digital world, the security of email communications has become a top priority for businesses. The SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting & Conformance) and DKIM (DomainKeys Identified Mail) protocols play a crucial role in protecting against phishing attacks and spam. This technical guide aims to provide an in-depth understanding of these protocols, as well as detailed instructions for configuring them in an Office 365 environment. By mastering these tools, companies can not only improve the security of their communications, but also strengthen the trust of their customers and partners

II - Why is important to configure SPF, DMARC and DKIM :

Configuring SPF, DMARC and DKIM is crucial for companies using Office 365 for several reasons:

• Protection against phishing and spam : These protocols help verify that emails sent from your domain are genuine, reducing the risk of fraudulent emails being sent in your name.
• Improved email deliverability : By configuring these protocols correctly, your emails are less likely to be flagged as spam by recipient filters, ensuring that your important communications reach their target.
• Enhancing your domain's reputation : Correct configuration of SPF, DMARC and DKIM shows that your company takes security seriously, which can improve customer and partner confidence.
• Regulatory compliance : Many data protection and cybersecurity regulations require robust security measures, and using these protocols can help meet these requirements.

III - How to configure SPF Record :

1 - What is SPF Record ?

A SPF (Sender Policy Framework) record is a type of DNS (Domain Name System) record used for e-mail authentication. It allows you to specify which mail servers are authorized to send e-mail on behalf of your domain.

Here's how it works:

• List of authorized servers : The SPF record contains a list of IP addresses and domains authorized to send e-mail from your domain.
• Verification by receiving servers : When an e-mail is received, the receiving server checks the SPF record of the sender's domain to ensure that the e-mail comes from an authorized server.
• Reducing spoofing : By preventing unauthorized servers from sending emails using your domain, the SPF record helps prevent spoofing, where attackers send fraudulent emails pretending to be you.

In short, an SPF record is an essential security measure to protect your domain from abuse and improve the deliverability of your emails.

2 - SPF Record Structure

The SPF Record is structured in such a way that you can easily add or remove mail systems to or from the record.

You can add as many include: or ip4: elements to your SPF record as you need. The enforcement rule indicates what the receiving mail system should do with mail sent from a server that isn’t listed in the SPF record.

3 - Some examples of SPF Records :

Depending on the actual outbound email scenario you are in, create your SPF record accordingly.

• Scenario 1 : you only use Office 365 Exchange Online to send emails on behalf of your organization. In this scenario, since only Office 365 is allowed to send emails, just include its SPF record (spf.protection.outlook.com) in your SPF record, like this:

v=spf1 include:spf.protection.outlook.com –all        

• Scenario 2 : you currently send emails from Exchange Online server; you also want to allow sending emails from this ip address : 20.22.23.24 (if you want to scan and send document by email for example). In this scenario, the Office 365 SPF record w'll look like this:

v=spf1 ip4:20.22.23.24 include:spf.protection.outlook.com –all        

A better way to create your SPF record is to use DMARCLY's online SPF record generator. This will eliminate many common errors caused by manually creating it.

4 - Create an SPF record for Office 365

We are going to start with looking up the DNS records that Microsoft 365 is expecting and then add the correct SPF record to our DNS hosting provider.

1. Open the Microsoft 365 Admin Center at admin.microsoft.com
2. Navigate to your domain then Settings
3. select Domains
4. Select TXT Record
5. Copy the SPF value

v=spf1 include:spf.protection.outlook.com -all        

• Go to your DNS Hosting Provider I am using Godaddy, if you don’t know how to change or add DNS records, then contact your hosting provider.

1. Create SPF record
2. Add a new Record
3. Select Type: TXT – Name/Host: @ – Content/Value: v=spf1 include:spf.protection.outlook.com -all (or copy paste it from Microsoft 365 ( step 4 ))
4. Click Save

• Now refresh the page and you'll be able to see status is "OK"

5 - Test your SPF Record :

if you want to check you SPF Record go to this free SPF Checker : Free SPF Record Checker - Check SPF Record - SPF Record Lookup - DMARCLY

You can see that my SPF Record appears fine here.

IV - How to Enable DKIM signing in Office 365

DKIM (DomainKeys Identified Mail) is an e-mail authentication method used in Office 365 to ensure that messages sent from your domain have not been tampered with in transit.

Here's how it works:

• Digital signature : DKIM adds a digital signature to the header of outgoing e-mails. This signature is generated using a private key and verified by recipients using a public key stored in your domain's DNS records.
• Message validation : recipients' messaging systems use the public key to check that the message has not been modified since it was sent.
• Spoofing protection : This helps prevent phishing and identity theft attacks by confirming that e-mails come from your domain.

To configure DKIM in Office 365, you need to access the Exchange administration center and activate DKIM signing for your custom domains, but before this you need to add 2 CNAME records in your DNS Provider.

1 - Create two CNAME records in your DNS provider (Godaddy in my case)

All the DKIM Keys have the same format. In the example below you can replace globalitnow-com with your domain name and globalitnow.onmicrosoft.com with your onmicrosoft.com domain.

Type : CNAME
Name : selector1._domainkey
Value : selector1-globalitnow-com._domainkey.globalitnow.onmicrosoft.com        

Type : CNAME
Name : selector2._domainkey
Value : selector2-globalitnow-com._domainkey.globalitnow.onmicrosoft.com        

• here is my CNAME records successfully created.

2 - activate DKIM signing for your custom domains :

To do this : Directly Access to DKIMv2 window from here : https://security.microsoft.com/dkimv2 or just follow this steps :

1. Log into the Exchange admin center : https://security.microsoft.com/
2. then go to "Email & Collaboration"
3. Select "Policies & Rules"
4. Select "Threat policies"
5. Select "Email authentication"
6. choose the domain you want to enable DKIM on, then click Enable on the right pane.

Note that if the 2 DKIM records you published in the DNS haven't taken effect yet, this operation will fail. When this happens, wait some time and try again. If you keep getting this error, check if your DKIM records are published correctly.

3 - Protecting Domains that don’t send emails :

If you have domains that don’t send mail (globalitnow.net for example), then it’s a good idea to protect does as well. This may sound strange, but these domains can still be used for spoofing and phishing attacks. You can also do this for subdomains that don’t send emails.

By creating a simple DNS TXT record we can tell the receiving mail systems that mail from this domain is invalid and should be rejected.

We can use a TXT record for this with the following format:

Type : TXT

Name : *._domainkey

Value : v=DKIM1; p=

4 - Test your DKIM Records :

You can check your DKIM from here : Free DKIM Record Checker - Check DKIM Record - DKIM Lookup - DMARCLY

• as you can see, my DKIM record is fine.

V - How to configure DMARC Record :

1 - What is DMARC ?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an e-mail authentication protocol designed to protect against fraudulent e-mails such as phishing and spam. Here's how it works and what it's used for:

• E-mail authentication : DMARC uses the SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) protocols to verify that e-mails actually come from the domain they claim to represent.
• Processing policy : It allows domain owners to specify how unauthenticated e-mails should be handled (e.g. marked as spam or rejected).
• Reporting : DMARC provides reports on impersonation attempts, helping administrators to monitor and improve the security of their domains.

In short, DMARC is essential for enhancing the security of e-mail communications and protecting users against phishing attacks and other fraud.

2 - DMARC Tags

Besides the policies and reporting mail address, you have also a couple of other options that you can use in your DMARC record. we will see in the next section how to use them.

3 - Setup DMARC for Office 365

To set up DMARC we need to create a DNS record, just like with SPF. So make sure you have access to the DNS records.

The first step is to log in to your DNS provider. I am using Godaddy, if you don’t know how to create DNS records then contact your hosting provider.

We are going to create a new TXT DNS record:

1. Add a new record
2. Select TXT as type
3. Set the name to _dmarc
4. Set the content to :

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; fo=1;        

What this record does is monitor p=none all DMARC events, and send a report when SPF or DKIM fails fo=1. It also monitors all subdomains sp=none. The reports are sent to the mail address [email protected]

When you are ready to move the unauthorized mail to the spam folders, you can change the record as following :

v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=quarantine; fo=1;        

• Here is the TXT record created in my DNS Provider (Godaddy)

4 - Test your DMARC setup :

To test your DMARC setup, go to this link and just enter your domain name :

Free DMARC Checker - Check DMARC Record - DMARC Lookup - DMARCLY

As you can see here, everything is good ??.

VI - Conclusion :

Implementing the SPF, DMARC and DKIM protocols is an essential step for any company wishing to secure its email communications. By following the recommendations in this technical guide, you'll be able to protect your domain from phishing and spam attempts, improve the deliverability of your emails and enhance your company's reputation. Email security is not just a question of technology, but also of trust and credibility in the digital world. By investing in these security measures, you are taking an important step towards protecting your digital assets and ensuring the long-term future of your business.

Thanks

Aymen EL JAZIRI

System Administrator