Exchange Online, DMARC, SPF and Outbound Messages.

%3CLINGO-SUB%20id%3D%22lingo-sub-306020%22%20slang%3D%22en-US%22%3EExchange%20Online%2C%20DMARC%2C%20SPF%20and%20Outbound%20Messages.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-306020%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Guys%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20Exchange%20Online%20here%20and%20have%20some%20questions%20regarding%20Outbound%20DMARC%20checking%2C%20and%20Mail-from%20vs%20From%3A%20address%20checking%20for%20SPF.%20(All%20cloud%20based%20no%20local%20on%20prem%20servers).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20I%20see%20that%20office%20365%20supports%20outbound%20DMARC%20checking%20for%20outbound%20messages.%20I%20see%20this%20in%20the%20documentation%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fuse-dmarc-to-validate-email%23what-is-a-dmarc-txt-record%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fuse-dmarc-to-validate-email%23what-is-a-dmarc-txt-record%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnder%20how%20office%20365%20handles%20outbound%20mesages%20that%20fail%20dmarc.%20I%20thought%20that%20DMARC%20was%20only%20checked%20by%20the%20inbound%20mail%20servers%20of%20the%20destination%20domain%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20instance%20if%20i%20send%20an%20email%20to%20user%40gmail.com%20from%20my%20office%20365%20domain%2C%20wouldn't%20only%20GMAIL%20check%20the%20DMARC%2FDKIM%2FSPF%20of%20the%20messages%20as%20its%20received%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20Assuming%20that%20DMARC%2FDKIM%20is%20not%20enabled%2C%20when%20a%20message%20is%20sent%20an%20Office%20365%20Mailbox%2C%20(all%20cloud%2C%20using%20EOP)%2C%20is%20both%20Mail%20from%20and%20From%3A%20Checked%20for%20SPF%20alignment%3F%20I%20think%20no%20but%20i%20want%20to%20be%20sure.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3)%20Does%20Office365%2FEOP%20perform%20PRA%2FHELO%20checking%20on%20inbound%20messages%20for%20users%20whose%20mailboxes%20are%20on%20the%20cloud%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4)%20Is%20there%20anyway%20to%20use%20your%20own%20DKIM%20Key%20Pair%20with%20office%20365%3F%20For%20instance%20you%20use%20your%20own%20private%20key%20to%20sign%20messages%3F%20(Keeping%20all%20mail%20on%20premise%2C%20not%20relays%20or%203rd%20party%20solutions).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5)%20Does%20Office%20365%2FEOP%20support%20SenderID%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fantispam-and-antimalware%2Fantispam-protection%2Fsender-id%3Fview%3Dexchserver-2019%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fantispam-and-antimalware%2Fantispam-protection%2Fsender-id%3Fview%3Dexchserver-2019%3C%2FA%3E%3C%2FP%3E%3CP%3EOn-Prem%20Exchange%20Does%20and%20you%20can%20add%20the%20necessary%20records%20to%20support%20sender%20ID.%20But%20I%20dont%20see%20any%20mention%20of%20it%20for%20office%20365.%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20an%20example%20of%20SenderID%3A%26nbsp%3B%22%3CSTRONG%3Espf2.0%2Fpra%2Cmfrom%3C%2FSTRONG%3E%20a%20include%3Aspf.protection.outlook.com%20-all%22%20checking%20to%20see%20if%20that%20type%20of%20TXT%20record%20is%20also%20supported%20in%20office%20365.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(You%20would%20remove%20the%20standard%20v%3Dspf%20record)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERobert%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-306020%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-306022%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%2C%20DMARC%2C%20SPF%20and%20Outbound%20Messages.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-306022%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Chris.%20Thats%20so%20strange%20becuase%20On-Prem%20exhcange%20servers%20check%20mail%20from%2C%20from%20and%20HELO.%20I%20would%20have%20expected%20EOP%20to%20do%20the%20same.%20I%20guess%20not.%20without%20using%20DKIM.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3ERobert%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-306021%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%2C%20DMARC%2C%20SPF%20and%20Outbound%20Messages.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-306021%22%20slang%3D%22en-US%22%3EHi%20Robert%2C%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20Office%20365%20does%20check%20DMARC%20on%20outbound%20mail%20if%20you%20set%20it%20up.%20These%20articles%20may%20help%20to%20explain%20why%20you%20would%20do%20so%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.dmarcanalyzer.com%2Finbound-protection-outbound-control-dmarc%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.dmarcanalyzer.com%2Finbound-protection-outbound-control-dmarc%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdmarc.org%2Fwiki%2FFAQ%23Why_should_a_Sender_care_about_DMARC.3F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdmarc.org%2Fwiki%2FFAQ%23Why_should_a_Sender_care_about_DMARC.3F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWith%20DMARC%2C%20checks%20are%20usually%20implemented%20inbound%20and%20outbound%20as%20standard.%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20No%2C%20SPF%20checks%20the%20envelope%20from%20address%2C%20not%20the%20From%3A%20address.%20DKIM%20checks%20the%20From%20Address.%20The%20best%20article%20for%20this%20I%20find%20is%20here%20which%20is%20a%20series%20of%203%20articles%20on%20SPF%2C%20DKIM%20and%20DMARC%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fblog.returnpath.com%2Fhow-to-explain-spf-in-plain-english%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.returnpath.com%2Fhow-to-explain-spf-in-plain-english%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20helps%20and%20I%20have%20answered%20your%20question.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
Frequent Contributor

Hey Guys, 

 

Using Exchange Online here and have some questions regarding Outbound DMARC checking, and Mail-from vs From: address checking for SPF. (All cloud based no local on prem servers). 

 

1) I see that office 365 supports outbound DMARC checking for outbound messages. I see this in the documentation: https://docs.microsoft.com/en-us/office365/securitycompliance/use-dmarc-to-validate-email#what-is-a-...

 

Under how office 365 handles outbound mesages that fail dmarc. I thought that DMARC was only checked by the inbound mail servers of the destination domain? 

 

For instance if i send an email to user@gmail.com from my office 365 domain, wouldn't only GMAIL check the DMARC/DKIM/SPF of the messages as its received? 

 

2) Assuming that DMARC/DKIM is not enabled, when a message is sent an Office 365 Mailbox, (all cloud, using EOP), is both Mail from and From: Checked for SPF alignment? I think no but i want to be sure. 

 

3) Does Office365/EOP perform PRA/HELO checking on inbound messages for users whose mailboxes are on the cloud? 

 

4) Is there anyway to use your own DKIM Key Pair with office 365? For instance you use your own private key to sign messages? (Keeping all mail on premise, not relays or 3rd party solutions). 

 

5) Does Office 365/EOP support SenderID: https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/sender-id?vie...

On-Prem Exchange Does and you can add the necessary records to support sender ID. But I dont see any mention of it for office 365. 

Here is an example of SenderID: "spf2.0/pra,mfrom a include:spf.protection.outlook.com -all" checking to see if that type of TXT record is also supported in office 365.

 

(You would remove the standard v=spf record)

 

Thanks, 

 

Robert

2 Replies
Hi Robert,

1. Office 365 does check DMARC on outbound mail if you set it up. These articles may help to explain why you would do so

https://www.dmarcanalyzer.com/inbound-protection-outbound-control-dmarc/

https://dmarc.org/wiki/FAQ#Why_should_a_Sender_care_about_DMARC.3F

With DMARC, checks are usually implemented inbound and outbound as standard.

2. No, SPF checks the envelope from address, not the From: address. DKIM checks the From Address. The best article for this I find is here which is a series of 3 articles on SPF, DKIM and DMARC

https://blog.returnpath.com/how-to-explain-spf-in-plain-english/

Hope that helps and I have answered your question.

Best, Chris

Thanks Chris. Thats so strange becuase On-Prem exhcange servers check mail from, from and HELO. I would have expected EOP to do the same. I guess not. without using DKIM. 

 

Thanks, 

Robert