DMARC, DKIM & SPF

%3CLINGO-SUB%20id%3D%22lingo-sub-204330%22%20slang%3D%22en-US%22%3EDMARC%2C%20DKIM%20%26amp%3B%20SPF%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204330%22%20slang%3D%22en-US%22%3E%3CP%3EWhat's%20the%20latest%20advice%20on%20DMARC%2C%20DKIM%20and%20SPF%20for%20Office%20365%20tenants%3F%3C%2FP%3E%3CP%3EI%20have%20configured%20SPF%20records%20with%20the%20Office%20365%20include%20for%20all%20domains%20that%20I%20manage%20as%20a%20minimum.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20configured%20DMARC%20records%20in%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CI%3E'Monitor'%3C%2FI%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efor%20a%20few%20recent%20tenants%20recently%2C%20but%20I%20am%20yet%20to%20roll%20this%20out%20for%20all%20domains%2Ftenants.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20not%20configured%20custom%20DKIM%20for%20any%20tenants%20-%20I%20know%20that%20Office%20365%20has%20Default%20DKIM%20Signing%20configured%20(which%20is%20based%20on%20the%20default%20tenant%20domain%20name%20that%20you%20are%20given%20with%20all%20new%20tenants).%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20recommend%20configuring%20DKIM%20if%3B%3C%2FP%3E%3CUL%3E%3CLI%3EYou%20have%20more%20than%20one%20domain%20in%20Office%20365%3C%2FLI%3E%3CLI%3EYou're%20going%20to%20set%20up%20DMARC%20too%20(recommended)%20-%20I%20can%20only%20assume%20DMARC%20doesn't%20work%20correctly%20with%20default%20DKIM%20don't%20work%2C%20hence%20the%20need%20to%20configure%20custom%20DKIM%20records%3F%3C%2FLI%3E%3CLI%3EYou%20want%20control%20over%20your%20private%20key%3C%2FLI%3E%3CLI%3EYou%20want%20to%20customize%20your%20CNAME%20records%3C%2FLI%3E%3CLI%3EYou%20want%20to%20set%20up%20DKIM%20keys%20for%20email%20originating%20out%20of%20a%20third-party%20domain%2C%20for%20example%2C%20if%20you%20use%20a%20third-party%20bulk%20mailer.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI'm%20trying%20to%20work%20out%20if%20I%20should%20set%20up%20all%20three%20of%20the%20above%20for%20all%20the%20tenants%20I%20manage%3F%20None%20have%20more%20than%2035%20users%20so%20I%20would%20classify%20them%20as%20SMBs.%3C%2FP%3E%3CP%3EI%20think%20if%20you're%20going%20to%20configure%20DKIM%2C%20you%20should%20configure%20DMARC%20to%20give%20instructions%20to%20recipient%20mail%20servers%20on%20what%20action%20to%20take%20if%20SPF%20and%20DKIM%20fail.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20looked%20at%20DMARC%20reports%20in%20the%20past%20(never%20received%20a%20forensic%20report%20-%20I%20don't%20think%20many%20mail%20providers%20generate%20these%20yet%3F)%20and%20cannot%20make%20much%20sense%20out%20of%20the%20detail%20included.%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20advice%20appreciated.%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-204330%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-204437%22%20slang%3D%22en-US%22%3ERe%3A%20DMARC%2C%20DKIM%20%26amp%3B%20SPF%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204437%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20recommend%20going%20over%20this%203-part%20series%20of%20blog%20posts%20on%20the%20subject%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-and-Compliance%2FSchooling-A-Sea-of-Phish-Part-3-Intra-Org-Email-Link-Scanning%2Fba-p%2F181470%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-and-Compliance%2FSchooling-A-Sea-of-Phish-Part-3-Intra-Org-Email-Link-Scanning%2Fba-p%2F181470%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20this%20very%20detailed%20article%2C%20which%20also%20reflects%20the%20current%20recommendations%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fanti-spoofing-protection-in-office-365-d24bb387-c65d-486e-93e7-06a4f1a436c0%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fanti-spoofing-protection-in-office-365-d24bb387-c65d-486e-93e7-06a4f1a436c0%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

What's the latest advice on DMARC, DKIM and SPF for Office 365 tenants?

I have configured SPF records with the Office 365 include for all domains that I manage as a minimum. 

I have configured DMARC records in 'Monitor' for a few recent tenants recently, but I am yet to roll this out for all domains/tenants. 

I have not configured custom DKIM for any tenants - I know that Office 365 has Default DKIM Signing configured (which is based on the default tenant domain name that you are given with all new tenants). 

Microsoft recommend configuring DKIM if;

  • You have more than one domain in Office 365
  • You're going to set up DMARC too (recommended) - I can only assume DMARC doesn't work correctly with default DKIM don't work, hence the need to configure custom DKIM records?
  • You want control over your private key
  • You want to customize your CNAME records
  • You want to set up DKIM keys for email originating out of a third-party domain, for example, if you use a third-party bulk mailer.

I'm trying to work out if I should set up all three of the above for all the tenants I manage? None have more than 35 users so I would classify them as SMBs.

I think if you're going to configure DKIM, you should configure DMARC to give instructions to recipient mail servers on what action to take if SPF and DKIM fail. 

I have looked at DMARC reports in the past (never received a forensic report - I don't think many mail providers generate these yet?) and cannot make much sense out of the detail included. 

Any advice appreciated. 

Thanks

1 Reply
Highlighted

I would recommend going over this 3-part series of blog posts on the subject: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Schooling-A-Sea-of-Phish-Part...

 

And this very detailed article, which also reflects the current recommendations: https://support.office.com/en-us/article/anti-spoofing-protection-in-office-365-d24bb387-c65d-486e-9...