Share via

How to use DKIM and DEMARC to prevent spoofing?

Anonymous
2017-04-05T19:23:57+00:00

We've recently had some security issues with office 365.  We're trying to tighten up security by enabling rules that don't allow emails to be sent or received where the 5322.From and the 5321.MailFrom don't match.

According to this article - https://blogs.office.com/2015/01/20/enhanced-email-protection-dkim-dmarc-office-365/ , that can be achieved with using DKIM and DEMARC.  

What's unclear is exactly what does and does not have to be setup...and how.  For example, if you look at the detailed article for DKIM - https://technet.microsoft.com/en-us/library/mt695945(v=exchg.150).aspx - it says:

If you do not enable DKIM, Office 365 automatically creates a 1024-bit DKIM public key for your custom domain and the associated private key which we store internally in our datacenter. By default, Office 365 uses a default signing configuration for domains that do not have a policy in place. This means that if you do not set up DKIM yourself, Office 365 will use its default policy and keys it creates in order to enable DKIM for your domain.

So, does this mean we don't have to setup DKIM?  How do we verify if DKIM is currently setup / working?

Also, the article for DEMARC is also confusing - https://blogs.msdn.microsoft.com/tzink/2014/12/03/using-dmarc-in-office-365/ .  It says, you don't have to setup DEMARC and that it's already enabled, but then number 2 section c is c) Set up DMARC records.

I'm very confused on how to actually use these features to prevent anyone using office 365 to send emails that appear to be from us, OR from us receiving emails where the mail from and from values don't match.  

Please help.

Microsoft 365 and Office | Subscription, account, billing | For home | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

Vincent Choy 10,965 Reputation points Volunteer Moderator
2017-04-17T06:08:23+00:00

Hi Ripper2020,

Office365 uses SPF, DKIM and DMARC as a form of Spoof prevention. Note that these settings are set by the SENDER organization to prevent outsiders from Spoofing their email.

For mails coming into your organization, your anti-spam filter checks the incoming mail to see if they have  any SPF / DKIM inconsistencies (set by the email sender) and takes action based on the sender DMARC settings.

SPF defines the authorized sending servers. These are set when you configure your office365.

DKIM allows checking if your outgoing mail has been modified in any way

DMARC sets what you want the recipient anti-spam to do if it receives a mail that is inconsistent with SPF or DKIM (report, quarantine or reject). 

Note the onus is still on the recipient anti-spam to act, and there are ways a spoofer will circumvent SPF and DKIM so your DMARC doesnt trigger.

More reading can be found here - 

https://dmarc.org/wiki/FAQ#How\_does\_DMARC\_work.2C\_briefly.2C\_and\_in\_non-technical\_terms.3F

Was this answer helpful?

1 person found this answer helpful.
0 comments

8 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2017-04-09T07:34:22+00:00

    Hi Ripper2020,

    Just let me know if you have any further assistance.

    Regards,

    Alan

    Was this answer helpful?

    0 comments
  2. Anonymous
    2017-04-07T11:10:38+00:00

    Hi Ripper2020,

    Regarding your second concern in the initial part. DMARC authenticating for inbound emails is enabled automatically. For outboud emails, you can set up DMARC records and define the policy action to make sure they are authenticated.

    Below is an article about how to block spoofing in Office 365:

    https://blogs.technet.microsoft.com/eopinsights/2015/09/18/block-spoofing-in-office-365/

    Let us know if you need any further assistance.

    Thanks,

    Chris

    Was this answer helpful?

    0 comments
  3. Anonymous
    2017-04-06T16:45:18+00:00

    Sorry Alan, I don't understand your response.  Microsoft should post a clear, easy to understand guide on what steps need to be taken in order to prevent email spoofing including exchange rules and spam settings.  I can't find that anywhere.

    Was this answer helpful?

    0 comments
  4. Anonymous
    2017-04-06T09:36:08+00:00

    Hi Ripper2020,

    For your first concern on “So, does this mean we don't have to setup DKIM?  How do we verify if DKIM is currently setup / working?”, I’d like to say you can understand that you don’t need to manually enable DKIM for your custom domain. As the reality of enabling DKIM is to publish a private key for signing into DNS of the custom domain so that the receiving server can decode the signing to validate that the coming email is legitimate. And, if you haven’t enabled DKIM for your custom domain, Office 365 will automatically create the key (public and private ones) and the policy for enabling DKIM. The biggest difference (between enabling DKIM and not enabling DKIM) is that we can customize the settings (2 CNAME records) while manually enabling DKIM. This can be found in that article, too (if we haven’t enabled DKIM, the required 2 CNAME records are missing).

    For your second concern “It says, you don't have to setup DEMARC and that it's already enabled, but then number 2 section c is c) Set up DMARC records.”, it is needed to understand what DMARC is used for. It is used for anti-spoofing and anti-phishing. If our domain is safe at present (no one masks to send from our domain), we don’t need to enable DMARC. But if your domain has been spoofed/phished, it is needed to enable DMARC to prevent this (spoofing or phishing). Actually, our domain can’t avoid the risk of being spoofed/phished, but we can enable DMARC for preventing this. 

    Regards,

    Alan

    Was this answer helpful?

    0 comments