Implementing SPF DKIM & DMARC on Microsoft 365

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
foreign [Music] I am here today to talk about some email security protocols that should be set up on any email system but specifically I'm going to be talking about how we apply those into Microsoft 365 and they are SPF which is the sender policy framework we have dkim which is domain Keys identified mail and dmarc which is domain based message will Decay authentication reporting and conformance that's a mouthful for you if you're watching this then clearly you just want to get those set up in M365 you probably know what they are but just in case you don't I'm just going to give you a quick summary of what they do so SPF is a mechanism that allows receiving email servers to check that the mail has been sent from an IP address that's authorized on behalf of the domain name to send email so as you can probably tell these are all DNS functions and uh this is what we need to do to set those up but the dkim attaches a digital signature to the email and which case the receiving email server can verify that by looking up the sender's key which is obviously published in the public DNS and dmarc now dmarc is designed to give those main owners of the receiving mail a way to check what to do with mail that is compromised so if you've got anything that looks like it's a phishing attack or other scams because it doesn't meet those SPF and dkim requirements what does what does that receiving server have to do about it in the dmarc entry you can tell them whether to deliver it reject it quarantine it whatever you need need to happen there um you can integrate dmarc unless you've got SPF and dkm properly configured so the recommendation here is to set all three up on your domain in Microsoft 365 get them all configured nicely get them all tested and I'm going to show you what that looks like today also along the way I'm going to show you some tools that we can use some normal web-based functions where you can go and check these things and also how to check out the headers and make sure everything is being encrypted correctly and everything's working working well so we'll start off with that domain which we were playing with previously at plenium.com and jump into the 365 console and let's go check it out so in the admin console you can see we go to homes domains and then look up palladium.com we're looking across at the DNS record item as you can see here and it tells us that we already have the SPF record in place which is one of the mandatory things when you set up a 365 domain right from the outset the text record for the SPF is going to be set up automatically for you so essentially SPF is done and we don't need to do anything else with that but the other two the dqam and the dmart are not so let's uh go and have a look at those but before we do that because I know we don't have those two set up currently I'm going to send an email from Carl's account across to just a Gmail account and have a look at the headers so you can see what the domain structure or sorry the email structure looks like when you don't have those set but you do have the SPF set so let's do that let's just jump into Khan's machine and we will send an email so let's go into outlook here and we'll just start a new one and we'll put this to one of my this is here testing for Windows or call it testing pdkm and hi and we'll send that and we'll go check it out we just jump into the browser I want to show you a website here MX toolbox if you haven't seen MX toolbox before definitely go check this out this is this is a pretty cool way of looking at any email or domain issues and things and actually just really understanding how to get in and fix them so mxtoolbox.com I'm going to put in here plentium.com we'll just do the MX lookup as it says here and just see what it tells us about the domain you can see by doing that really it's obviously just pulled up the MX record which is fine but it's telling us straight away that we don't have anything for dmarc we have Microsoft Office as our provider but it's really giving opening this up now to so we can go into a whole ton of things around this email check and one of the things we can do here we can do a quick thing like a backlist check and see if we've got on any black lists which doesn't look like we have which is good but what what you can see if I just jump back is really the ability to really look at a lot of these different settings here and whether you do that just by dropping this down and you can see all of these checks that you can do for all these entries which is which is really quite quite good to have a look around at but what we want to do is look up this SPF record and click on that once it's done and that will tell you a bit about it and make sure you all comply now it should be because it was the one that was set up by Office 365 natively and you can see yes it's very happy with all of those things there if I do a check now for dkim we should find that uh hey guess what it's uh nothing there and also with the d-mark as well you do that too yes we have issues as well therefore we know that we need to go in there and set those up and get those done what it means though is that once we do have them set up and configured we can use MX toolbox as a a checkpoint to say is it done correctly and and what does it look like so this is the test email that we've sent into Gmail and if we have a look at which are original here we can see the details around the headers now you can see the SPF pass as we would expect and when we look down here we will see a dkam pass here from the the basic stuff that happens in uh M365 but what I'm interested in doing here is copying that out to the clipboard and we can use one of two different sites to go and analyze this its header so we can use the jumping here we can go into the MX toolbox and we can have a look at the analyze headers which is in here which user gives us a bit more information we can also look at the the Azure sites the mha site which I'll show you afterwards if I drop this one in and analyze that header you can see what he comes back with now this is telling us once again we don't have a dmarc configuration there but we do have SPF and we don't have dkm alignment now that's because it's using the standard back end of 365 to do it and we it hasn't applied those other changes yet so if we go down a little bit you can see once again it's complaining about that but really what we're looking at for is all the dkm results and you can see here we do have that signature header not found and the like so we know that it's not uh it's not turned on and ready to go in a proper fashion yet what we're looking for is all of this to go green obviously and the other side I was just mentioning as well is this one here mha dot azurewebsites.net drop the header into there as well you'll get a very similar type of response and you can see obviously all the Hops things take and how things work but really you can also see all the other information around the um relevant passes and the like too but it's not going to tell you that it's compliant or not it's going to give you the basic set of information that's why I like to use the MX toolbox one as you can see it's giving us a bit more useful information about what's going on so to turn on the dkim or planeum.com your first of all you need to find out where it is now it is slightly hidden away but you need to go into the security admin Center it's this one here and we need to look for policies and rules down the left-hand side there we go so we have classes and rules right here and we're looking at threat policies and if you look down the bottom here you will have the email authentication settings and you can see in here it's talking about the Kim let's give it up and we're looking at the dkim settings which is this here so you can see that we've got um uh the plenum.com here and if I click on it you'll see that we have as expected no dkm keys saved for this domain now what we do first thing is we can say create ekim Keys which we'll go ahead and do now this is creating that digital signature in the background on 365. and once that's done it'll respond back with an update on this side which it does like this and it's now set up in the back end now when I turn this on here it's going to fail with enabling them because we haven't done our DNS work but we need to know exactly what the DNS is going to be I can tell you what they are but the easiest way for you to see it is if I just try and enable it we'll get the error message in the front screen here telling us that it can't find the DNS records which are these here and it now wants us to go and set these up so what we're looking for here is we've got two c names to do we've got selector one and selector two and you can see there's part of it here so I'm going to show you how we might put that into our DNS server and get that done then we've got our DNS management here you can see it's all our records as you've seen before in the last few videos so let's grab this so what we want to do is set up and just cut and paste this one out we're going to set up a new cname entry like so with that domain key and we're going to grab this value here that into that one that record in and then do basically the same thing again with the second entry which is the selector number two then um no one push that in there add that record now I know you've seen me use this type before this dnschecker.org really is quite cool what we're going to do here is I'm going to put in that other entry so we're going to go back here I'm going to grab this select two just cut and paste it out two laser to type it basically there dot oh millennium.com has a cname and just do a quick search and we can check whether that has managed to replicate itself DNS wires around the globe and will happen very quickly nowadays I love that um so that is all good now what you'll find though is that when you do go back into here and we say okay and then we say Okay DNS looks good from the DNS Checker side of the things and we say enable that you'll find it'll come back and say that it can't do it now that is because that is happening way too fast for it now look at this here check this out it should sync and take a few minutes as many as four days based on your specific DNS return and retry this step later generally what I've had to do in the past with these things is the back end of the system seems to be a little bit slower um so I've had to then hit OK here and basically I've been setting it up in an evening and then just come back the following morning and it works so we're going to pause now and you'll see all these these dates will go jump into the future either by Magic on the next stage of the video but I'm going to wait until this is now active so we can now get this get this enabled essentially what I'm saying here is that you can keep hitting this enabled all the time but just let it chill let it wait and come back to it and it will be fine once you just let it bake for a bit so I think we've waited long enough for those checks to happen so let's now go and hit enable and see if that allows and yeah it looks like it has it's enabled that and it wants a few few minutes just to go and sync those changes in the back end so that is it is good we'll close that and send another test mail see what it looks like I would jump back into Kyle's machine and we will send another test email [Music] what and send that we'll go have a look at that one now this one if we go and look at the show original we'll be a c that it's got a bit more information about the dkim and it's coming up with a pass straight away so this is a good check but you can say yes it is working for us here and once again we'll say copy a clipboard and we'll run that up into that message header site here otherwise new header will drop the contents of that in here and it should give us slightly different results not completely compliant yet by the way it should be pretty close here we are look we have some decomm alignment which means things are starting to take effect which is obviously good and you can see here that it's uh certainly happy and starting to go green which is which is good to see so to set up a dmarc record remember I said one at the beginning that dmarc is really just telling an email system which is the receiver of the email what to do if an email fails and you can see that the the settings we have here and you can see on the uh the items it could either be none reject or quarantined so none is a monitoring mode and it just allows the mail to go through however you've also got the reject and the quarantine so these are the the different types of settings you can do now what you can do as well is quite nicely there's inside MX toolbox as well there is this address which we may need to type in it's actually hard to find on some of these links but it's the dmarc record generator.aspx and what you do here is you you key in your domain and we say check the mark record what it will do then is give you the ability to then create a dmarc record based on what you require so you can see here it's saying okay none if it's in a reporting mode and then it's same way do you want the reports to go it's going to default obviously back to some MX toolbox once you could put any email address you like in those if we were to change it and say quarantine you can see what it's doing over here and creating this value for you so I'm going to say none for this one we're going to put in the admin for the tenant like so and we're going to grab that and grab that one as well and you can see straight away it's creating this record for you now like I say you do not need to have these aggregate reports to be sent anywhere you can get by quite nicely with just using the standard P equals none the PCT that I had before is the percentage of merlot it's going to process in that fashion which I put is 100 100 but let's grab this one now and we'll just take this record that it's taken and we'll put that into the DNS or the plenum.com back to my DNS management here and we're going to put that as a text record and that's the value now for this entry in here this is just going to be underscore V Mark and we add that record in now once that's in as a text recorder we're going to send that test email again and see what that looks like so a very quick check on that DNS of that text record you can see yes it's applied there we hit search you should get some text just waiting for couple to catch up that should be all good but now yes just back to hard workstation again send that to me anymore M5 that's entry included we go okay there's our number five email once again the share original and look at this we're getting a bit more information here it's BF econom and dmarc is showing as a pass now as well which is good so let's copy the clipboard drop it in the paste header Analyze That and let's see what it says we've got some good results here so here's that email just come through to the Gmail account let's go and have a look at the show original and you can see yeah look at that we've got some more things happening SPF is good the km is good and we've got a d-mark pass as well so clearly things are working well if we just scroll down a little bit we have a look at that information here and you can see we're getting great resulting here with all these uh passes and the like and uh everything in place which is nice the last thing I want to do is just put in here the medium.com into the email Health Report inside MX toolbox let's have a look and see what that comes back with that's going to report a couple of things that it's uh not happy about but they are not related to that if we look at the show tests here you'll see we've got a couple of problems looks like the uh SMTP address here in the or the MX record is an open relay which you would expect it is the the Microsoft 365 entry point so that is okay we can ignore that and also the SOA expiry value on our DNS now that's down to the GoDaddy which is the hosting we can't change those values so there's not much we can do about those two but everything else as you can see let's scroll through too quickly we've got our Blacklist checks down through those you can see yeah mail server we've got a full DeMark pass now you can see everything in there and everything else seems to be very happy and good just for some completeness have a look at the exchange online Powershell if you as you can see here if you connect to the exchange online and just do a get Dem signing config with the identity of the domain that you have you'll you'll see if it's enabled or not and if you do it with the the FL tag on the end you can see that you get a lot more details about about how it's set up and what is configured quite useful just to show that it is configured and is open as well and the very last thing to show you here is if I go into this website dkimvalidator.com another way of checking things out and it'll tell you as you go in there a random email address to send an email to so I will just grab that we'll pop back into Carl's account there can we just send an email to that address I'm just going to test what that'll do is it'll run another third-party check on those all of the records and show us what it uh what it thinks of those let me give that a second and we just hit few results and there we go now what we can see here obviously that's all the main Header information which is important but it's looking here and saying what is our ecoim signature looking like and you can see down the bottom here we have a result which is pass which is good and the SPF you can see there that's a result pass as well perfect and our spam assassin score you can see messages not marked as spam which is part of the reason for doing a lot of this in the first place and you see everything has passed there we choose all good so I hope that was useful for everybody just to see how you can make sure your email is compliant and also keep things out of the junk folders and the spam filters on the net for your people that you're sending email to from your domain and just another reminder again please subscribe to the channel we appreciate that and I'll see you next time thank you [Music]
Info
Channel: The Cloud Geezer
Views: 13,415
Rating: undefined out of 5
Keywords:
Id: j2dYcItof3k
Channel Id: undefined
Length: 21min 2sec (1262 seconds)
Published: Sat Dec 17 2022
Related Videos
Email DNS Master Course | SPF + DKIM + DMARC Explained
Emad Zaamout
22K
The Top 5 Microsoft 365 Security settings that you NEED to switch on NOW!
Andy Malone MVP
23K
How to Secure Email & Improve Deliverability (DMARC Tutorial)
All Things Secured
12K
DNS Spoofing Attacks
Kevin Wallace Training, LLC
17K
5 Dangerous Things to Avoid Saying In a Job Interview
Don Georgevich
5.8M
How to Prevent Email Spoofing with DKIM, DMARC & SPF
Pro Tech Show
20K
Hands-On Power BI Tutorial 📊Beginner to Pro [Full Course] ⚡
Pragmatic Works
1.9M
Increase Microsoft 365 security by optimizing anti spam and anti phishing rules
Bob Pellerin
8.3K
Beginner to T-SQL [Full Course]
Pragmatic Works
203K
What Microsoft doesn’t want you to know about Microsoft Office
Liron Segev
2M
Why Always Keep on this Device Doesn’t
Ask Leo!
14K
TOP 10 Outlook Tips EVERY Professional NEEDS To Know
Leila Gharani
1.2M
Microsoft Tenant to Tenant Migration | Cross Tenant Migration - Part 1
Concept Works
22K
How to relay emails from application using Office 365 | Client Submission, Direct Send, Smtp Relay
Office365Concepts
35K
Sketchup House Design 6 EXT INT + Enscape 2.4 Realtime Rendering
Rio Ryne
3.1M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.