Email Authentication in Microsoft 365: SPF, DKIM, and DMARC
Safeguarding your organization's emails from phishing attacks and spam is paramount. Microsoft 365 provides a robust set of tools to ensure that your emails are authenticated, and your recipients can trust their origins. In this blog post, we'll explore the essential components of email authentication: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
Let's delve into how to set up and configure these defenses to enhance your email security.
SPF - Verifying the Sender
Sender Policy Framework (SPF) is a fundamental component of email authentication. It allows email recipients to verify that incoming mail from a domain is authorized and sent from approved servers. SPF records are DNS records that list the IP addresses and servers authorized to send emails on behalf of your domain.
If you are hosted entirely in Office 365, that is, you have no on-premises mail servers, your SPF TXT record would look like this:
v=spf1 include:spf.protection.outlook.com -all
The example above is the most common SPF TXT record. This record works for just about everyone, regardless of whether your Microsoft datacenter is located in the United States, Europe (including Germany), or another location.
Once you have formed your SPF TXT record, you need to edit the existing SPF record or create an SPF record on your hosting provider's website. You can only have one SPF TXT record for a domain. Once your SPF record is configured, unauthorized sources attempting to send emails on behalf of your domain will be detected and flagged as potential threats.
DKIM - Adding an Extra Layer of Trust
DomainKeys Identified Mail (DKIM) is another essential layer of email authentication. It enhances email security by digitally signing outgoing messages, providing cryptographic proof that the email is genuine and unaltered.
All the accepted domains of your tenant will be shown in the Microsoft 365 Defender portal under the DKIM page.
Step 1: On the DKIM page (Defender > Policies & Rules > Threat Policies > Email Authentication Settings), select the domain you wish to configure.
Step 2: Slide the toggle to Enable. You will see a pop-up window stating that you need to add CNAME records.
Step 3: Copy the CNAMEs shown in the pop-up window.
Step 4: Publish the copied CNAME records to your DNS service provider.
On your DNS provider's website, add CNAME records for DKIM that you want to enable.
Step 5: Return to the DKIM page to enable DKIM.
With DKIM, the recipient's server can verify that the email has not been tampered with in transit, further ensuring the integrity of your messages.
DMARC - Unifying SPF and DKIM
Domain-based Message Authentication, Reporting, and Conformance (DMARC) ties SPF and DKIM together. DMARC enables you to specify what action should be taken for emails that fail SPF or DKIM authentication, and it provides reporting capabilities for better visibility into your email ecosystem.
Like the DNS records for SPF, the record for DMARC is a DNS text (TXT) record that helps prevent spoofing and phishing. You publish DMARC TXT records in DNS. DMARC TXT records validate the origin of email messages by verifying the IP address of an email's author against the alleged owner of the sending domain. The DMARC TXT record identifies authorized outbound email servers. Destination email systems can then verify that messages they receive originate from authorized outbound email servers.
Form the DMARC TXT record for your domain in the format:
_dmarc.domain TTL IN TXT "v=DMARC1; p=policy; pct=100"
domain is the domain you want to protect. By default, the record protects mail from the domain and all subdomains. For example, if you specify _dmarc.contoso.com, then DMARC protects mail from the domain and all subdomains, such as housewares.contoso.com or plumbing.contoso.com.
TTL should always be the equivalent of one hour. The unit used for TTL, either hours (1 hour), minutes (60 minutes), or seconds (3600 seconds), will vary depending on the registrar for your domain.
pct=100 indicates that this rule should be used for 100% of email.
policy specifies what policy you want the receiving server to follow if DMARC fails. You can set the policy to none, quarantine, or reject.
By setting a DMARC policy, you can instruct recipient servers to quarantine or reject unauthorized emails. Additionally, DMARC reports give you insights into the email flows involving your domain, helping you monitor and fine-tune your email authentication setup.
Email authentication is a cornerstone of email security, and Microsoft 365 offers a comprehensive suite of tools to protect your organization from phishing attacks and ensure that your emails are trusted by recipients. By configuring SPF, DKIM, and DMARC, you strengthen your email defenses, reduce the risk of spoofed emails, and bolster your organization's cybersecurity posture. Embrace these essential practices, and your organization can enjoy more secure and trustworthy email communication.
To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.