Secure your journey to the Microsoft 365 email with dkim and dmarc

DKIM is one of the multiple authentication methods, along with SPF, DKIM, and DMARC, that help block attackers from sending messages that look to be from your domain. DKIM allows you to place a digital signature in the message header of outbound email messages. When you set up DKIM, you permit your domain to use cryptographic authentication to connect, or sign, its name to an email message. Email systems that receive emails from your domain may use this digital signature to verify the authenticity of incoming emails. A private key encrypts the header in a domain’s outbound email. The public key is published in the domain’s DNS records, and receiving servers can decode the signature using that key. DKIM verification permits receiving servers to confirm that the email is genuinely from your domain and not from anyone who spoofing your domain.

Message Authentication, Reporting, and Conformance Based on Domain to authenticate mail senders, DMARC collaborates with SPF and DKIM. DMARC ensures that messages sent from your domain are accepted by the destination email systems. Using DMARC in conjunction with SPF and DKIM provides organizations with increased protection against email spoofing and phishing. DMARC assists receiving mail systems in determining what to do with messages from your domain that do not pass SPF or DKIM checks.

*Prerequisites: An SPF Record should be in place.

How to create and enable DKIM

First of all, we have to create the Public DNS Records to our registrar provider, lets’s find the prerequisites records.

We have to Sign in to the Microsoft 365 Defender at https://security.microsoft.com/dkimv2 and choose your domain

Now you may create the DKIM keys

Copy your Keys and create the appropriate “CNAME” Public DNS records to your registrar provider

You may wait some time regarding Public DNS replication and go back to DKIM page to enable the setting

Now, all email messages will be digitally signed the email Header with a signature and it will be encrypted automatically with DKIM Private Key. Let’s configure the DMARK

How to create and enable DMARC

The domain owner can use DMARC to specify how unauthenticated messages should be handled by MBPs. This is accomplished through the use of a “policy” that is specified in the DMARC DNS record. The policy can be configured in one of three ways: NONE, QUARANTINE, or REJECT.

Depending on the level of DMARC enforcement desired, a DMARC policy can be set to none, quarantined, or rejected. In this case, p is the DMARC policy parameter:

A none policy (p=none) is comfy and gives zero enforcement, as any email received by the recipient’s email server is delivered to their inbox regardless of whether they fail authentication.
The quarantine policy (p=quarantine) enforces DMARC because the domain owner can prompt the receiver to roll back emails into the spam folder if DMARC authentication fails.
Finally, the reject policy (p=reject) ensures that all emails that fail authentication are not delivered to the inbox of the recipient, providing absolute enforcement.

Although there are other syntax options for Microsoft 365 that aren’t noted here, these are the most generally used. Create a DMARC TXT record for your domain in the following format: _dmarc.domain TTL IN TXT “v=DMARC1; p=policy; pct=100”

domain is the domain you want to safeguard. The record protects mail from the domain and all subdomains by default. 

TTL should always be equal to one hour. TTL is measured in hours (1 hour), minutes (60 minutes), or seconds (3600 seconds), depending on the registrar for your domain.

pct=100 indicates that this rule should be applied to all emails.

If DMARC fails, the policy specifies the policy you want the receiving server to follow. The policy can be set to none, quarantined, or rejected.

You may use a tool to monitor the impact of DMARC, more info: Secure your journey to the cloud with free DMARC monitoring for Office 365 (microsoft.com)

More info about DMARC: Use DMARC to validate email, setup steps – Office 365 | Microsoft Learn

More info about DKIM: How to use DKIM for email in your custom domain – Office 365 | Microsoft Learn

Leave a Reply

Your email address will not be published. Required fields are marked *