Email Authentication Records SPF DKIM and DMARC Implementation and Troubleshooting in Microsoft 365

Hello All

Hope, everyone is doing good. Today we are going to cover the article, about the three Email Authentication Records SPF, DKIM and DMARC which will secure our email environment from the email spoofing and other kinds of attack

In this section, we are going to cover, what is SPF, DKIM and DMARC, how it works , SPF/DMARC syntax, components, and finally implementing SPF and DMARC

Let us first see the SPF , followed by DKIM and DMARC

What is SPF

An SPF record is a TXT record published in the DNS by the domain owner, which specifies a whitelist of IP addresses allowed to send emails on behalf of the domain.

When an email reaches the receiving server, the server will look up the SPF record in the DNS, and perform a check to determine if the email comes from an authorised IP address.

SPF stands for "Sender Policy Framework", which is a mechanism that allows a receiving email server to check if the incoming email is from an IP addresses permitted by a

predefined IP address whitelist (SPF record) specified in the DNS (Domain Name System).

Example : Let us take two organisations craftnet.in and cloudmonkeys.xyz

Domain Name : Crafnet.in

User1@craftnet.in

Application Server : 210.18.121.6

Domain : Cloudmonkeys.xyz

User2@cloudmonkeys.xyz

user1 from craftnet.in is sending an email to user2@cloudmonkeys.xyz from the application server 210.18.121.6 .

It carry's the below information

Connecting IP

From Address

To Address,

Return-Path

How the receive server from cloudmonkeys.xyz will validate the SPF records to make sure the emails are sent from Craftnet.in origination, by checking the SPF records of carftnet.in domain

SPF record syntax

An SPF record is a single string of text published on the domain in the DNS.

All SPF records start with exactly "v=spf1", followed by a series of "terms". Note that the version part "v=spf1" is mandatory: everything else like "v=spf2" would render the SPF record invalid and cause the receiving server to ignore the record.

SPF Record evaluation

An SPF authentication result is one of:

None: either no valid DNS domain name was found, or no SPF record was found on the domain;
Neutral: it's not stated whether the client IP address is allowed;
Pass: the client IP address is allowed;
Fail: the client IP address is not allowed;
Softfail: the client IP address is probably not allowed;

SPF qualifiers

An SPF qualifier is optionally prepended to an SPF mechanism to denote the result of evaluating that mechanism.

The possible qualifiers, and the results they indicate are:

"+" pass
"-" fail
"~" softfail
"?" neutral

For example, qualifier "+" indicates pass, while "-" indicates fail, etc.

SPF mechanisms

SPF mechanisms are evaluated one by one from left to right.

The result of evaluating an SPF mechanism is one of:

match; evaluation ends and the qualifier value is returned as the result of evaluating the SPF record;
not match; moves on to evaluate the next mechanism;
exception; evaluation ends and the exception value is returned.

Two types of SPF mechanisms are available: basic mechanisms and designated sender mechanisms.

Basic mechanisms are all and include.

Designated sender mechanisms are a, mx, ptr, ip4, ip6, and exists.

SPF Check Pass and Fail Scenarios : How to Validate in real time and Troubleshoot

Python script :

I approached some developer team to develop a small script to send an email from python, from which i can test the email to send as an Internal users from internet - simple it works like a application .

So this python application is sending emails from the internet using Internal email address. In Real world , many application is using the email address like no reply@cloudmonkeys.xyz or from active user mailboxes using their party relay or Office SMTP Relay or Relay from Onprem servers if its hybrid setup

my SPF in Go daddy

v=spf1 ip4:210.18.121.6 include:spf.protection.outlook.com -all

It will allow the email only designated from 210.18.121.6

Legitimate email scenario

From Internet world, SPF check will pass only if the emails are connected from the designated from connecting IP 210.18.121.6

SPF Failed Scenario along with DMARC rule -

if someone sending email which is not designated in the SPF text records and the DMARC rule was set to Reject

limitation in SPF : In SPF if the emails are forwarded to external domain users, the SPF gets failed, , When email will be forwarded the return path value will change and SPF check will performed against the domain , who has forwarded that particular email

What is Domainkeys Identified Mail (DKIM)?

Think of Domainkeys Identified Mail as an ID or passport that can verify who you are. When you are sent from your email server, the server attaches DKIM so the receiving server can verify you.

Technically speaking, DKIM authentication provides a method for validating a domain’s identity that is associated with a message through cryptographic authentication

If we go by definition, DKIM is a email security standard which is designed, to make sure that emails are not altered during the transmission between the source and designation

As soon as the emails are sent from the sending servers , the it signs theta emails using Private Key

Not like as SPF, DKIM add the digital signature within the email header, and even through the emails are forwarded to external domains, the signature will be preserve, with in the email header

Enable DKIM

To Enable the DKIM for the domain, we need to have tow CNAME Records in Public DNS

The CNAME recorfs are used as a Public Key by the receyoiepeint email servers, to verifiy if the emails has ununchanged during the ttransismiiosn

Once the signatuire are verifired, by the receipeint server. , DKIM will pass and the emails is treated as Authentic

When an organization enables the DKIM for theor domain, the private key is securely stored on mcirosoft servers, and all the emails are sendt from the particualr orgainzation, are digintattaly signned,

Let us take two Orgs

Cloudmonkeys.Xyz and Carftnet.in

1. Cloudmonkeys enabled the DKIM and when cloudmonkeys users sent an email to carftnet.in, all the emails are digitally signed using provate Keys

2. When craftnet users receives the emails the recipient servers will extract the DKIM signature from email header and will reach PUBLIC DNS

3. Craftnet.in email Server will ask DNS for Public KEY which was published by cloudmonkeys.xyz

4. Once the recipient server has the public Keys , it will validate the email using public key

5. if the email Validate is successful , DKIM will Pass, if the email was altered during the transmission, DKIM will fail

DKIM Syntax and Creation

Iam going to create DKIM Record for Craftnet.in domain

Before we create a DKIM records, we should aware of two things

1. MX value of the domain

2. Initial Domain Value

MX value for my domain Craftnet.in is

craftnet-in.mail.protection.outlook.com

Initial Domain Value is 2t6xvv.onmicrosoft.com

Record to add in Public DNS

Type : CNAME

Name : selector1._domainkey

selector1-craftnet.in._domainkey.2t6xvv.onmicrosoft.com.

Type : CNAME

Name : selector2._domainkey

selector2-craftnet.in._domainkey.2t6xvv.onmicrosoft.com.

if you try to enable;e the DKIM from the above screen shot. you will get the below error

Take the below value from the error window

Host Name : selector1._domainkey Points to address or value: selector1-craftnet-in._domainkey.2t6xvv.onmicrosoft.com Host Name : selector2._domainkey Points to address or value: selector2-craftnet-in._domainkey.2t6xvv.onmicrosoft.com

Go to public DNS and Create it like below

Lastly, we'll go back to the Defender Portal to enable DKIM for your organization.

Sign in to the Microsoft 365 Defender Portal. Use your Microsoft 365 email address and password (your GoDaddy username and password won't work here).
Under DomainKeys Identified Mail (DKIM), select your domain name. A window will open on the rightmost side.
Turn on the Sign messages for this domain with DKIM signatures toggle. Your changes will save.
Select OK.

Please note for the above steps , it takes 24 hours time to replicate in Public DNS

After 24 hours it should work. If you then still get the error, then double-check the CNAME records name and value.

Powershell to check if DKIM is enabled or not

Get-DkimSigningConfig

Domain Enabled

------ -------

craftnet.in False

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance DMARC is a widely-accepted email authentication policy and reporting protocol. It ensures – when implemented at an enforcement policy – that authorized use of the domain in the From: field can be verified by the receiving domain and action can be taken if the use is not authorized.

DMARC includes a reporting mechanism. Email receivers tell the domain whether or not the email they received passed or failed authentication. The domain owner’s DMARC record can specify where receivers should send reports—these reports let the domain owner or their DMARC vendor see who is using the domain to send email.

Domain owners can use the information in these reports to fine-tune their email authentication policy to permit only trusted senders to send email on behalf of the domain.

My DMARC Policy in Go daddy

"v=DMARC1; p=reject; pct=100; rua=mailto:aisha.bhari@cloudmonkeys.xyz; ruf=mailto:aisha.bhari@cloudmonkeys.xyz"

Anti phishing Policy Configured in office 365 portal : https://security.microsoft.com/

Exchange Online Message Trace.

In Message Trace, the emails got failed due to DMARC policy

i believe, this article helps for someone who is looking after the SPF, DKIM and DMARC policy implementation in their environment and troubleshooting purpose. Happy learning 😃

Microsoft 365 & Exchange Admin's Blog -Troubleshooting is an art not a rocket science

Search This Blog