The starting point is to review the SPF and DKIM settings. We would also recommend Microsoft’s guide – Set up SPF in Office 365 to help prevent spoofing. How your SPF record is formatted depends on if whether Office 365 is the only service:
If you’re using only Office 365:
v=spf1 mx include:spf.protection.outlook.com ?all
If you’re using other services as well, add `include:spf.protection.outlook.com` to your existing SPF so it looks similar to:
v=spf1 include:spf.serviceA.com include:spf.protection.outlook.com ?all
Once you gain confidence that the SPF record is implemented correctly, change ?all to -all.
Inbound vs Outbound
In the above article, Microsoft makes a distinction between inbound and outbound based emails. From the perspective of DMARC, the key aspect for the protocol is to identify legit from fake emails, so it’s not that concerned about the destination. However, the terms are relevant to DMARC implementation, as the terms reflect the different organizational management and support responsibilities – ie: inbound email managed and supported by IT Operations and outbound email by marketing, customer care and other functional teams. Implementation of DMARC for inbound and outbound email follow the same guidelines of SPF and DKIM record management; however outbound email requires thinking about subdomains, full or CNAME or manual based delegation and basic third-party vendor management.
Third-Party Secure Email Gateways
Office 365 subscribers seem to have a third-party email cloud filtering service as an added inbound layer, more so than Gmail subscribers – ie: ProofPoint, Cisco, Forcepoint(Websense), Symantec, Mimecast etc.
These are classified as traditional email secure gateways that require the MX record to be changed to route email to their infrastructure. Although Office 365 sits behind these third-party gateways, it will still validate SPF, DKIM and DMARC records. This introduces a number of issues for both inbound and outbound that need to be addressed. Take inbound for example, Office 365 SPF validation will fail as the source will show up as the third-party email gateway – typically solved with a white-list rule. For outbound, DKIM signature will need to be configured on the third-party email gateway, as Office 365 based DKIM signatures will fail if the third-party email gateway adds any disclaimers to all outbound emails.
Create your DMARC record and add it to a subdomain of your domain in the format _dmarc.yourdomain.com (remember the underscore in the front)
There are a number of options for creating the record :
- Use dmarcian’s DMARC Record Wizard to generate the record – basic technical expertise required and all email is sent to your designated inbox.
- Register for a trial on dmarcian – very little technical expertise is required – a DMARC record is created, and guidance is given on how to place it in your domain’s DNS. Reports will be sent to the dmarcian dashboard for easier interpretation.
Use a DMARC dashboard to interpret the XML reports. Once you are confident that all of your email resources are accounted for, you can move forward with restricting your DMARC policy so that only legitimate senders are using your domain.
If you registered with dmarcian you’re already on your way. Reports should be appearing within a few days of creating the DMARC record in your domain’s DNS. If you haven’t, we invite you to register for a free 14-day trial where you’ll get some help along the way!