HowTo: DMARC and Microsoft 365 part 2
This article is split in multiple parts.
– The first part will explain DMARC and the relationship with DKIM and SPF.
– The second part will show you how to configure DMARC for your Microsoft 365 Exchange Online (Office 365).
– The third part will show you some of the online tools you should consider for parsing the DMARC reports and finding the hosts that are sending mails from your domain.
Configuring Microsoft 365 Exchange Online for DMARC
As you now know DMARC doesn’t make sense without DKIM and SPF, so we need to set those up first.
Let’s start with DKIM
Open up your Exchange Online Admin portal and log in with your admin account: https://outlook.office365.com/ecp/
Click the Protection menu and then the DKIM tab
If you click Enable before preparing your DNS for DKIM you will be presented with a yellow box describing the missing CNAME records. Make a note of these.
And now you may ask: “CNAME? Didn’t you say it was based on TXT records?”.
Correct! But Microsoft decided to help you out a bit here. DKIM private & public key needs to be rotated now and then, and instead of leaving you to update the public key in your DNS they allow you to point a CNAME record to their DNS that automagically updates your public key when the private key is replaced. This means less work and less “downtime” for you.
All you need to do is create the two CNAMES mentioned in the yellow box. They could look like this:
Generally it takes anywhere from a few minutes to a few days for DNS changes to take effect. In my experience I rarely need to wait more than 20 minutes. Once the change is made you can try the Enable button mentioned above and hopefully it will say something like
“Sign messages for this domain with DKIM signatures: Enabled”
That’s it – now you have a working DKIM installation.
SPF is even easier!
In fact it’s more than likely that you already have an SPF record as Microsoft guides you through this when you add a custom domain to your Microsoft 365 tenant.
But let’s go through it anyway, it only takes a few minutes.
Start up your Microsoft 365 Admin Portal: https://admin.microsoft.com/ and click Settings -> Domains and then your desired domain.
This should lead you to the domain setup page where you click on the tab called DNS records
Notice the TXT record specifying the SPF settings. You need to add this to your DNS if you haven’t already.
Another task complete! SPF is now in effect and the entire cluster of Microsoft SMTP servers assigned to Exchange Online is being whitelisted as valid hosts.
Last but not least you need the DMARC record
Go back to your DNS settings and add another TXT record called _dmarc.yourdomain.com, like this:
We start out with a p=none policy so we can verify all settings and hosts sending mail first. The rua= and ruf= tags needs to be a valid email address where you want the DMARC reports sent to. Beware that this can be a rather large amount if you manage a domain with a lot of users.
You now have a working DMARC setup!
Is it complete? Not yet, it doesn’t really do much with a “none” policy and spoofed mails are still being delivered. Now is the time to analyze all those reports that will be arriving the next days to come.
I really recommend using a tool to analyze the DMARC reports for this job before deciding to upgrade the policy to “quarantine” or “reject”. The amount of data in the reports can be overwhelming and it’s not easy to parse.
Picking the right tool for the task will be covered in part 3.