Office 365 SPF, DKIM and DMARC
In this post we will be discussing how to protect your mail flow using Office 365 SPF DKIM and DMARC. These are mainly authentication protocols and mechanisms relying mainly on DNS to protect your mail from phishing and spoofing.
The electronic email system is considered the main entry point for attacks on your domain or organization. Whether its a Microsoft Exchange on-premise server or Office 365 Software as a service, the same threat applies. Spoofing and Phishing attacks comes as the number one attack vector according to F5 report. Kaspersky also mentioned that phishing attacks were doubled in 2018. Its clear that email spoofing and phishing is easier than other complicated attacks. The attacker can target specific person by gathering all needed data and information using the social media. We as humans tend to talk and share all our hobbies, interest, actions …..and others on different social media channels. A smart attacker can easily identify your profile and spot the areas that will mostly attract you.
Next step will be crafting an email targeting your interest, latest projects, hobbies…….etc. Anything that makes you open, read and interact with this email. This is the art of Social Engineering. By opening this email, responding to it or maybe clicking the link inside it, you opened a door for this attacker. This can be downloading a malicious file or opening a port and channel back to the attacker server or maybe replying directly to a spoofed mail. In conclusion, the attacker now owns your computer or your account. Simply like that without the need to attack firewalls and other complicated devices he was able to connect directly to you via the email. This is why its becoming the number one attack vector.
Once the Attacker owns your machine, he can easily move in your network and domain. This is known as Lateral movement. Attacker can continuously move in your domain till he finds a hot machine as your domain admin computer. Now its matter of time till the attacker owns your network.
Office 365 EOP Protection
Office 365 email system is mainly protected with the EOP. EOP stands for Exchange online protection which is used to protect your emails from SPAM, Viruses……etc. However our main goal here is to add on the normal EOP protection by targeting spoofing and phishing protection for your Office 365 using SPF, DKIM and DMARC. For more information on the EOP protection please check this article from my MVP friend Ammar Hasayen on EOP Architecture.
Spoofing versus Phishing
So when you think about spoofing remember the Mission impossible movie. When tom cruise take off the mask after he was impersonating someone else character. That is exactly the spoofing which is pretending to be someone legitimate. Receiving an email that claims to be from your boss, CEO or your main service provider or bank asking for connection or maybe sending some sensitive data. This message will look almost same as original legitimate one. Spoofing normally ends by sending you special crafted malicious file. Once the user click on this link or open this attachment a malicious file is installed on your computer/device. That’s why spoofing is sometimes known as method of delivering bad files to you.
On the other hand Phishing use the art of social engineering to lure users. Its mainly a form of spoofing where users receive an email that looks legitimate asking them to click specific link or send them to specific site. The email will look very legitimate, same format and logo compared to the original one and normal user would fall victim to these kind of mails. Main purpose is to make the user connect and input his credentials. Remember that your credentials (username/password) is your identity on the internet. The main target is to get users reveal their credentials. In the next section we will find how to protect your custom domain in Office 365 using SPF, DKIM and DMARC.
What are the SPF Records ?
SPF (Sender Policy Framework) is a DNS TXT record required during the setup of Office 365 domain mail connectivity. The SPF helps in validating the origin of your outgoing mails. Your mail recipients can check your SPF record to ensure its coming from the authenticated mail servers. The SPF record will include the domain and authenticated mail servers and IP addresses allowed to send mail from your domain.
So let us imagine I am sending an email from my ITCalls.net mail to someone at XYZ company (for example [email protected] to [email protected]). First XYZ company mailing service should be configured to validate and verify the SPF records. Secondly XYZ system will check and ask ITCAlls domain for SPF record to ensure the mail it received came from the authenticated outgoing mail servers IP address. These mail servers are published in the SPF record. So SPF is mainly to protect other domains by validating your outgoing mails. This will help prevent spoofing and phishing by verifying my domain to other external domains. If someone is pretending to be me (spoofing) and sending emails from ITCALLS domain he will get easily spotted since these mails are not originating from my legitimate servers. It will be mainly originating from another spoofed IP addresses. Finally based on the SPF policy, this mail may be blocked or marked as spam.
How to configure Office 365 SPF Record ?
As I mentioned earlier the SPF is a DNS TXT record. If your domain and mail is fully hosted in the Microsoft Office 365 cloud then your Office 365 SPF record will be “v=spf1 include:spf.protection.outlook.com -all”
- V=SPF1 – This is the common start of the SPF record.
- Include:spf.protection.outlook.com – This is the default SPF authenticated address for Office 365 hosted domains. If you have on-premise Exchange servers then you will add IPV4:x.x.x.x for your on-premise outbound exchange servers.
For more information on the SPF TXT record syntax please check here.
- First you need to open you Office 365 portal and click on the Admin.
- Secondly, click on the Setup – domains
- Finally, click on your domain name. This will open the DNS required settings and for exchange online you can find the exact needed record to be placed in your DNS. Copy this record and go to your domain external DNS servers (Google, CloudFlare, Verisign, Godaddy…etc) and create the needed TXT record.
What are the DKIM Settings ?
So we are still configuring and protecting our Office 365 custom domain mail. The main goal is to protect against phishing and spoofing attacks. We need no one to pretend as if they are us by adding controls that assure our recipients that this mail is coming really from us. If they can’t verify or fail checking these settings the its mostly someone spoofing our mail.
DKIM stands for Domain Key Identified Mail. It works by using encryption keys to sign and email coming from your domain with a specific key (Private key). As you can guess you will publish the public key in your external DNS. Now anyone receiving your mail can verify this signature by using the public key to decrypt and read your domain signature on the mail. This is typical Public/Private key process. DKIM is considered better solution than SPF as it verifies your domain using encryption keys in the message header while SPF use only IP addresses.
DKIM requires you to create two CNAME records. Why two CNAME records ? This is because Exchange / Office 365 rotates between the two records to expire old ones and activate new keys. As you will see in the next section, the two keys are using the default Microsoft domain “xxxxx.onmicrosoft.com”. This is because Microsoft control this domain which will allow it to Sign these messages.
How to configure DKIM for your Office 365 domain ?
- First we need to open the Office portal as we did in the SPF. Open the Admin portal. This time we will open the Exchange settings
- Secondly go to Protection and DKIM settings
- Then we need to enable the DKIM. This enablement will fail because DKIM cannot recognize the CNAME records in the DNS. These are the public encryption keys.
- We need to add these 2 CNAME records to the External DNS. For each Custom domain you need to add two CNAME records. When we tried to enable DKIM in the previous step, we got a popup message with the required CNAME records. This should be in the following format:
Host name: selector1._domainkey
Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain>
Host name: selector2._domainkey
Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain>
- Finally after adding the needed two records you can go back and enable the DKIM after few minutes to allow DNS propagation.
DMARC – Final piece in your complete protection ?
The email message header will contain normally many fields and addresses. I would highly recommend you to grab an email and start analyzing its header. A very well recommended tool to analyze the email message header is Microsoft Remote connectivity analyzer
It has several tabs and options to test different Microsoft applications as Exchange and Skype. However the last TAB is the one we are looking for which is the Message Analyzer. Here you can copy the message header then Analyze it. On the other hand how can we get the message header. First you need to open Outlook and open any email in outlook. Secondly hit File – Properties which will open message properties. Finally at the bottom you can find the internet headers / Message headers which you can copy in the Microsoft Remote connectivity analyzer.
Message Header Basics, What is the problem ?
We have two important headers to check
- “Mail From” Address or sometimes named the Return-address or Return-path. This is the bounce mail address where all Non-delivery reports and bounces are sent to this mail.
- “From” address. This is the one you normally get on your mail, which is the sender mail. For example [email protected] sending to [email protected] then the From address will be [email protected].
Ideally both addresses will be the same. Try any email message and analyze it using the Remote connectivity analyzer to verify it.
So what is the problem ? The Previous two Techniques which are SPF and DKIM will verify only the “Mail From” address. They will check this address and its domain versus the authenticated list in the SPF or the signature in DKIM.
Now a clever attacker would have legitimate mail in the “Mail From” address as [email protected]. The hacker already owns this simple unknown domain and he created SPF and DKIM for it to look legitimate. On the other hand the “From” address will use the spoofed address as [email protected] which the user will see. SPF and DKIM will verify the “mydomain.com” and mostly it will pass since it has correct SPF and DKIM in the DNS (attacker owns this domain).
Here is where DMARC comes in the play by checking the “From” address domain as well and comparing it with the “Mail from” domain. Depending on using relaxed or stricy policy (comparing to SPF and DKIM), the message will pass or fail.
Configuring your DMARC records for Office 365 Custom domain
There is nothing needed to be done from the Office 365 Admin portal. By default Microsoft will check and verify DMARC for all inbound mails. What we need to set is DMARC in our DNS for our outbound mails to be checked by our recipients.
There is a nice DMARC Record creation Wizard that i would like to introduce from dmarcian site
- First Step will be identifying and typing your domain that you would like to protect
- Next will be the DMARC policy, Is it just monitoring (data collection) or action taker (Quarantine)
- Who will receive the DMARC reports ? Blocked mail reports ?
- Next need to specify whether you need individual mails reports. This is detailed and not required at the beginning.
- Next is one of the main critical choices. Do you need it relaxed or strict where strict means it must match the same domain in the “Mail from” validated by your SPF.
- Is there any need for different policy for any sub domains you might have. Normally will be the same policy.
- Do you need to apply this DMARC policy on all your emails (100%) or just sample. Some people prefer to start with sample of emails to monitor the DMARC reponse and whether there is any effect on mail flow.
- Finally, you will get the exact DMARC DNS TXT record that you need to input in your external DNS server. Copy this record and update your external DNS server (Godaddy, CloudFlare………etc) and give it some time to propagate. Remember you need to protect your Office 365 using SPF, DKIM and DMARC. The three are needed as DMARC policy for example relies on the SPF and DKIM.
In this post i tried to explain how to protect your mailing domain in Office 365 using SPF, DKIM and DMARC. These three authentication protocols and mechanisms are very efficient to protect your mailing domain from spoofing and phishing attacks. You can always verify and inspect your DMARC DNS settings from the DMARC inspector site or any other tool to ensure its properly propagated and configured. Troubleshooting DMARC can be tricky and i discussed earlier one of the key scenarios to troubleshoot DMARC which you can refer back here.
Remember Phishing and spoofing are the main attack vectors now and you can easily protect your domain using these records. Go ahead and give it a try and save your domain. Hopefully this lengthy post was helpful and see you soon.