Enable DMARC on Office365 | New update video link is in description

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to implementing Demark using office 365 what we're gonna do in this video is show you actually how to set up not only Demark but SPF and deacon within office 365 so obviously we're gonna use the admin portal for office 365 but we're also going to use our GoDaddy DNS service provider in order to actually put in the DNS records that are needed for each one of those standards so we switch over here to Chrome and here you can see the products pages for our domain got da org on GoDaddy and then in this other tab we are logged in already to office 365 so the first thing is just to show you where DNS is set up and GoDaddy so when you're in GoDaddy you go to domains got D marked org over here you got a button called the DNS I'm just gonna click on that button and what this will do is take us to the DNS section so this is where we're going to add all the records that we need to for in order for Demark to work successfully so the first one we're going to talk about is SPF so the nice thing about office 365 is that when you're first setting this up and you're setting up your domain you have the option to allow office 365 to create dns records for you and one of the DNS records that actually will create for you is an SPF record so if we're looking here under our records and GoDaddy you may scroll down a little bit and we're going to see here we find a section that says txt so in their txt we have our SPF record so I'm just going to click on the pencil so that way you can see what the full record looks like so it's V equals SPF it has the include statement which is for SPF protection outlook.com with a minus all or a dash all which is for a hard fail so this is what microsoft itself will create for you now when you're in GoDaddy or what other third-party provider that you're using for DNS if this record does not exist what you can do is either put in the record yourself and the record will actually look like this it will actually be this unless of course you have third-party tools or what you can do is you can go into for 365 and actually have it create those records in case you missed that step so you would have to do in that situation is just click on the admin button this will go to the administrative section for office 365 and what you will do in here on the left hand side there's a section for settings there's an under settings you go to domain and in here it's going to show you your domains and in this case it says both are set up but I'm gonna click on got D marked org and what I will do here is I'll go through and you can see what the DNS records that it created for you and other on a previous step so you also could go to setup and domains and you can get to the same portion so now what you'll see here I'll make the screen a little bit bigger so here I'll show you create the MX record to create the txt record for SPF now if none of this is present what you can do is you can always click on DS DNS management and this will actually start out the DNS configuration and update your DNS settings for you so it is recommended that during the setup process to add the DNS records for you if not go ahead and just go through this step and it will go ahead and create those records for you and implement them as well so now at this point SPF is already set up now take into account that there may be other additional there may be additional third-party providers that are you're using for sending mail so if you're using things like Salesforce or MailChimp and other types of customer relationship management databases or other third party vendors you do need to add them into here as you go along if you're not sure them you could always add them later if you choose to but for now in this case we're Demark we're only using Outlook comm we're not using any third-party provider so I'm going to leave it as it is now the next step is I'm going back to office 365 is to set up the DNS records for Deakin now this is a little bit different and it is quite unique in the way office does office 365 does it it actually is a very good way it's a very secure way in which Microsoft Office 360 five will actually handle the D Kim keys for you so this way you don't have to worry about the private keys and the public key storing them in the right location and so on you just have to add the correct DNS record which they will provide to you so where do we find out on where do we set up D Kim the way you will do this here is we're back in the admin center for office 365 I'm gonna go down here in the admin center section now of course this is only going to work as long as you have business premium or higher because you have to make sure you have to be using the mail portion of office 365 in order for it in order to set this up so cuz it under admin center you'll see a section for exchange because that's the online email server that dis apply to you so you click on exchange this will open up another window and in this window there's going to be a section called protection so you see here on the left hand side you also see in the middle on the dashboard under protection toward right at the bottom you're going to see decamp and that's your domain key identifiable mail click on D Kim it gives you a little bit of information on it so now by default the way it will work is that got Demark dot got d mark dot on Microsoft com is the default domain and that will always be the domain that's being used and for and this is enabled by default for you so you can disable it but it's best just to leave it enabled in case there are some issues you may run into because it will sign using this key by default but the problem with this is if you leave this alone anything that's being sent by god d mark org is going to be signed by using the got d mark dot on microsoft.com domain there's a problem there because they're not aligned that the D Kim key needs to match so when d mark were to look at this it's gonna say well this is not aligned so there's a problem that's going on with this so what you need to do is click on that you're actually primary domain so in this case got D marked org and you need to enable the Kim signatures here so problem is is though in order for this to work you do actually have to setup the DNS records first and then you can enable it but the reason I'm showing you by this way here is because if you're not sure what to add what you can do is you can click on enable it's going to go out and look to see if the record exists if not it will tell you what the record should look like so if you look here it's gonna say CNM record does not exist for this config please publish the following to cname records first selector 1 - got d mark or ik underscore domain key got D mark dot on microsoft.com and actually he's giving you a second one as well so you do need to set up both of these in order for this to work so this way now you know what the value is going to be when you set up this record so now the other unique part is this is that since they handle the private key and public keys for you they're providing you with a cname instead of a txt record so this way the cname is going to be a pointer to a domain where the where the public key actually resides in this case and so this way you don't even know what the public key looks like you don't know what the private key looks like you just have this record - for people to point to so we're going to go over here into domain manager and we're going to create the two keys so we'll click on add the type is going to be cname now for the host now this is important as well because the host is going to be something specific and it has to match what they what is being actually used within within Microsoft Exchange so in this case it's always going to be selector one dot underscore domain key then the reason for this is this is now what you're calling the host and that's a way that when people are looking for it they know what to look for for in terms of deacon and then this is good to point to and that's going to be the value that they provide here so you can't copy and paste so you may have to go back and forth just to check to see what that you're typing it in correctly so in this case it's good to be select right selector 1 - got d mark - org - all right so it uses hyphens and not not periods and then the remainder there so dot underscore domain key dot got the mark got d mark dot on micro soft dot-com so this is gonna be the key and we'll leave the TTL to one hour so at this point we just click on save and now we have our first DK m key so just to confirm and go back here make sure that it's pointing to the right location so selector - got d mark or underscore domainkeys domain key D Martin Microsoft comm go back here double check selector one - got Demark org dot underscore domain key D Martin Microsoft calm so the nice thing also about Microsoft is that gives you two keys to work with so that way you know it case something were to happen with the first one you do have the second one that you can use so I'm just gonna go ahead and cancel this and then we're gonna create the second one so I'm gonna you just click on add select the type SC name this one is now going to be called selector to underscore don't name key this is going to point to selector - - got D mark - org dot underscore domain key dot kaat D mark dot on microsoft.com and we'll also leave this for one hour so now this point we have our two DTM keys in place and now what we can do is we can go back to our deacon tab and enable Deacon now before I click the enable just take into account that this may take some time to actually enable some cases it is instantaneous in some cases it may take a few hours before you can click on the enable button in order to do it so just keep tabs on this if it doesn't do it immediately and don't worry about it just make sure that the record is set up correctly and everything is fine and then maybe give it a cut you know they can maybe an hour or so in order to enable it so as you can see in this case here it didn't go in so we'll just hold off on it and I will check back in it I'm in a bit so now then the final stage is to implement Demark so now with Demark you don't need to do anything on office 365 in order to enable the marker setup Demark by default it does do a check for you so any incoming message from other organizations it will check those messages to determine if there's a Demark setting our capability on settings on those messages if so it will go back and check the sending organizations DNS to determine what to do with the message if it passes or fails any of the authentication checks so in this case now we need to set up Demark for our organization in this case got d marked org so we're gonna go back to domain manager and we're gonna add another DNS record and this DNS record is going to be a txt record so d mark is always going to be a Dean txt record there's no option about that it's always gonna be that regard so whom you're using now the host will always be underscored d mark it always has to be underscored d mark there is no option you can't leave out the underscore and it has to be all lowercase D mark and the reason for this is because this is what you're calling the actual name of the record so in actuality I end up being underscore d mark dot underscore d mark dot dot d mark org and it will automatically add an abortion of it to this now the text values this is where we're gonna go ahead and then add this in so the value here always start with the version so version equals d mark one that will always be the version there is no reports of any additional versions coming out at any point in time or anytime soon so that does our version number D mark equals one the next I'm going to put in P equals so what P equals means is this is the policy that you're applying to your d mark and any message is that how to handle those messages if it were to pass or fail so in this case the recommendation is always to start off with none so I'm gonna start off with not in this case just to see what's going on with these messages is it actually being used is it not being used well you know what are the defaults to it and then in case if I need to make any adjustments to say the SPF record or the DCAM keys then I can do so when it's time to do this so always start off with p equals none just to make sure that everything is set up correctly the next value that I'm going to add is the male so are you a equals so are you ways to tell it say that I want to receive aggregate reports for this domain so this way those aggregate reports are the what's going to tell you what exactly is going on within those with with each of those messages that are being sent from this domain are being you or if any other servers are using this domain so I'm gonna send this to as Samir's at D mark oops sorry got the amara.org it's actually are you a equals male two estimators that you know the male two is important that needs to be there if you have multiple addresses you just add a comma and male 2 : and add the next email address so in this case there's only gonna be one so I'm gonna end there and add the semicolon I'm also going to look for forensic reports because the forensic reports can give me a little bit more detail if for any failed messages to determine okay why could the message that failed at what particular messages I've failed now with one comes to forensic reports which is ru f you may not get forensic reports from every single recipient system and that's mainly due to privacy concerns so it's you will definitely get the aggregate reports from majority of those recipient servers but the ru f the forensic servers forensic reports you may not get too many of those you may get a very few depends on the location and the servers so again I'm gonna send it to the same location and you have to do male 2 : and I'm gonna send it to this address now if you're looking to send it to a different address there you can do so but there has to be additional configuration and additional records must be created and/or to receive to be able to send those reports to those locations so the receiving side where the recipient side of those reports are they need to make additional steps in order to do so in order to get this so really this is all you have to have in order to set up Demark I'm gonna take a little bit further because I'm gonna say that well while we're while we're working on our top-level domain and making sure that everything is accurate I know for god D Mart org there is absolutely no subdomains whatsoever so I don't want somebody coming in and while I'm fixing the top level domain got d mark org to go ahead and try to spoof a sub level domain so a sub level domain could be something like sales not got damar Touareg or HR dot dot d mark org so what I'm gonna do is add this tag here which is SP equals so that's sub domain policy and in this case I'm gonna put reject because I know there is none now if you're not short you can leave out the SP tag and the put the top-level tag the P equals will actually also handle your subdomains as well but in this case since I know there aren't any I'm going to add the S P equals reject and then additionally I'm also going to add in the tag RI which is the amount which is the time that the report should be sent by default if you leave this out and it's going to be every 24 hours which is 84 thousand six hundred seconds so I'm just gonna put that in there just a you know just dictated there are additional options but they're not really required so in this case I'm going to leave this as it is and I'm gonna go ahead and click Save and now I have my d mark policy in place so as you can see our ended within a few minutes we had we have our SPF record we have our two D Kim keys that we need and we have our d mark record in place I'm just gonna go back here to D Kim click on enable and hopefully it'll work and there you go now D Kim is now enabled at this point so as you can see you may need to give it a couple of minutes and sometimes you may have to give it the full hour in order to allow for dns to propagate so now we have everything set up and this is for everything and now d mark is set up to none and then the more I use in more males and that I sent out I should get a report within 24 hours of implementation of the D mark record so it may take a little bit longer than 24 hours but you should get at least 24 hour within 24 hours start getting reports now just take into account a few things there's gonna be additional resources that we'll make available to you because there might be situations where the deccan options may not be available to you - and either enable or disable it if you go to our site Demark dot global cyber alliance org under the resources section will provide a page there that will give you some tips and tricks in order to get DCAM enabled if in case it doesn't show up here or even to force it to be enabled because you do need to have a Window System with PowerShell in order to get that enabled and in order to make it present and then you can also use the D mark global cyber Alliance site to also go through the process and determining how you would want to have D mark in this case you know I knew about D mark so I was able to set up but you can use a setup guide to actually help you with the creation of the key if you do have any questions you feel free to contact us at any point in time and we can hopefully answer any of the questions that you may have thank you for attending this video you you
Info
Channel: Technology Wanderers
Views: 22,049
Rating: 4.9432626 out of 5
Keywords: DMARC, SPF, DKIM, office365, microsoft365, ms365, dns, enable dmarc and spf, enable spf and dmarc, enable dkim, enable dkim in office365
Id: PGwcgZdMIoc
Channel Id: undefined
Length: 19min 10sec (1150 seconds)
Published: Sun Apr 01 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.