2020 has not been a very good year for number of businesses and during the COVID-19 pandemic many businesses faced an increase number of spoofing attacks and phishing attempts.
Mimecast (an IT Security Company) showed in a study that 60% of the companies surveyed noticed an increase in email impersonation, with email attacks increasing by 30% in the first 100 days of the COVID-19 pandemic.
Also 97% of IT decision makers are aware of DMARC (Domain-based Message Authentication, Reporting and Conformance). However, only 28% are now employing it.
Mimecast surveyed 1,025 IT decision makers.
REF: COVID-19 Drives Increase In Email Spoofing Attacks: Study 06/09/2020 (mediapost.com)
In simple words, DKIM adds a digital signature to message headers sent by your organization, the recipient of your email can verify those emails are legitimate and truly sent from you using this digital signature. It uses a private-public key mechanism to encrypt the message header.
DMARC on the other is a validating mechanism, you basically tell the recipient how to deal with emails from your domain that fails SPF or DKIM verification.
Microsoft uses DKIM by default for all .onmicrosoft domain, this means that you YYYY.onmicrosft.com (default domain) is already DKIM enabled.
So If you want to enable DKIM for your custom domain (most likely you have one or many) and you want to use DMARC too (best practice is to do so) you have to enable DKIM for your custom domain manually.
This article assume that you have a correctly published SPF record, if not, please do before proceeding with the below steps.
In order to enable DKIM you need to add two CNAME records into your public DNS,
CNAME
The above two records should be modified to mirror your tenant, the blue XXXX part is your custom domain and the red YYYYY part is your default .onmicrosoft domain.
let’s say you have a tenant with the default domain TheAzureBroblog.onmicrosoft.com and you have added and verified a custom domain Azurebro.com, your records should be like this:
selector1-AzureBro-com._domainkey.TheAzureBroblog.onmicrosoft.com
selector2-AzureBro-com._domainkey.TheAzureBroblog.onmicrosoft.com
Be careful when adding a multi-level custom domain, for example azurebro.com.jo, not to add it with dots but dashes, azurebro-com-jo
After publishing the above two records you can enable DKIM for your custom domain from Office 365 portal
Use www.mail-tester.com/spf-dkim-check to verify that your DKIM records are correctly published.
Now to enable DMRAC you should publish one TXT record as below:
TXT
Like previous records the blue XXXX part is where your custom domain should be and this time with dots not dashes if it was multi-level domain.
_dmarc.AzureBro.com
The p part in the value stands for Policy or how recipient is going to react to messages from your domain if DKIM or SPF have failed, policy can be none (will do nothing but it is good for testing first), quarantine (will send the failed emails to recipient spam folder), or reject (emails will not be delivered).
DMARC record can have many other parameters too, like: pct (percentage of messages DMARC will be applied on), rua and ruf (used for monitoring and enhanced reporting) but unfortunately Office 365 doesn’t provide a built-in tool for monitoring and reporting DMARC, there are many 3rd party tools and I will covering one of them in upcoming articles 😊
Use https://dmarcian.com/dmarc-inspector/ to verify your DMARC record.
So that’s it, you have enabled DKIM and DMARC for your domain and helped to make the world a better place by reducing spoofing from your domain 😊
Be First to Comment