Rely solely on DKIM, remove spf.protection.outlook.com from SPF record?
Question: Is there anyone that already has removed the spf.protection.outlook.com entry for their Office 365 hosted mail domain, and how has this impacted deliverability? Situation: In order to protect our email from being spoofed, we have a DMARC policy in place that recipient email servers respect to filter out unauthenticated emails sent from our mail domain. As we all know, DMARC authentication can take place either by publishing the autorized sending servers IP's/netblocks in the domains SPF record, by publishing DKIM keys, or both. One of the mechanisms has to align, two is fine as well of course For our mail domain, both the SPF mechanism as well as the DKIM mechanism are used at this moment. Two assumptions: 1. The SPF record's entry for Office 365 (include:spf.protection.outlook.com) is used by ALL Office 365 tenatnt/customers and contains all the possible IP's that Office 365 uses to send outgoing email. 2. The DKIM key used by Office 365 to cryptogarphically sign mails that are sent out from our mail domain is unique for our tenant. When inspecting the DMARC reporting, i noticed that some emails were not signed with the correct DKIM keys, but are labeled as 'aligned'. Quite possibly, these emails were sent from within some Office 365 tenant, but not from our tenant and thus, quite possibly, malicious. Statement: On hosted email platforms such as O365 and gmail, SPF isn't good enough because all their good customers and all their abusive customers use spf.protection.outlook.com (or spf.gmail.com for that matter) for spf lookups. The spf record is only a simple txt lookup with no logic or cryptographic keys involved. By removing the SPF element from the equasion our email domain, we rely solely on the DKIM signing, which is unique and cryptographically sound. Email deliverability should not be impacted for DMARC compatible mailservices, but will be lower for email services that are not DMARC-compliant.
Outlook server fail DMARC
Hello Community ! I started to implement SPF/DKIM/DMARC on my domain for the past week, and noted something strange on my reports : a small percentage of my mails fail DMARC for SPF As you can see on the screenshot above, we can see that the header "MailFrom" is filled with an Outlook server, which is the reason why my DMARC is not aligned ( as my domain is not outlook.com ) However, something bother me : why does Outlook servers does not change this header for my domain name ? As is it only for 10% of my mails, I suppose that for 90% of them, it changes the header, right ? Thank you for your help !
DMARC reporting for Exchange on-premise
I need advise on generating human-readable DMARC reports without the use of any external reporting services provided by many companies out there. I was hoping someone has any idea of a tool that can be installed and used on-premise. It would be nice to have if the tool is also able to present recommendations or remediation tasks. Thank you.
