Intro to SPF, DKIM, and DMARC

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys it's nick welcome to another episode of humongous 365. today's lesson i'm going to be covering spf dkim and dmarc records within office 365. these three tools help you to authenticate mail senders and ensure the destination email system's trust messages sent from your domain implementing dmarc with spf and dkim provides additional protection against spoofing and phishing email sender policy framework or spf helps validate outbound emails sent from your custom domain here in this example we have luke's lightsabers luke's recently set up a text record in the dns settings for their primary domain luke's lightsabers.net this record is publicly available to look up and it's basically saying that all of luke's mail should be coming from microsoft's email servers in this example a sender in luke's org sends an evil someone outside the organization the recipient's email server performs a dns lookup to see where the public's records are for luke's domain it can see the new spf text record that shows the ip addresses for microsoft servers since these records match the sender's ip the message is approved and sent to the recipient if the spf lookup was to fail the message would be likely marked as spam so it would end up in the user's junk folder or in quarantine it is a great first layer for protection but spf has its limitations a good example of this is a forward of email when an email is forwarded it's possible the spf will fail and create false positives for this reason we need more ways to prove that the forwarded email was still an authenticated sender this is where dkim comes into play dkm stands for domain keys identified mail they cam lets you add digital signature to email messages in the message header email systems that get email from your domain can use this digital signature to help verify whether incoming email is legitimate back in our example here now luke is going to adopt dkim so they publish new cname records in their dns settings the records acts as a public key email sent from luke's it will basically have what you can think of as a watermark something that stays with the email no matter what and also ensures emails have not been tampered with when a sender pushes out an email to the recipient server it's basically performing a similar lookup to what we had with the spf record and it grabs this public key from the dns records of luke's lightsabers.net if the public key and the private key match the dkim results pass and the message is delivered lastly we need one more layer to help us detect legitimate senders and avoid spoofing events an email message may contain multiple originator and sender addresses one of these can be the mail from address that identifies the sender and specifies where to send return notices if any problems occur with the delivery of the message such as a non-delivery notice this is the field that the spf is performing checks on there's also the from address which is the address displayed in the from address section by your mail application like outlook or the outlook client on your desktop this address identifies the author of the email looking at this example we can see the mail from addresses fish at phishing.contoso.com and the from address is security at woodgrovebank.com if the phishing address there is sending from microsoft servers then it can still pass sbf checks without checking the authentication of the woodgrovebank.com domain dmarc solves for this when you use dmarc the receiving server also performs a check against the from address all three of these services work together and you should set up all records versus just adding one like dmarc for instance dmarc checks rely on dkim records being set up for custom domains spfdcam and dmarc records can be set up within your dns settings for your primary domain so you'll have to log into your primary dns registrar and go in to update those records microsoft has plenty of documentation on what those records should look like so i'll let you follow that versus taking you through that experience there is actually one setting that you'll have to configure within the defender admin center for dkim records so let's go ahead and pop into that admin portal so i can show you that now okay i'm here within the portal i'm going to go under the email collaboration setting to policies and rules under this section here i'm going to wait for this to load and i'm going to go under the threat policy section here i'm going to click into the dkim section under rules on this page you'll see all the listed domains that you have for within your tenant and i can click into my primary domain here and i've actually already enabled this for security within my tenant but you'll want to go ahead and turn this on so that you have that enabled within your environment take note that before you enable this setting you'll want to make sure that you add the proper cname records and i've given it enough time for them to propagate otherwise when you try to talk with us on you will get an error message about the public access of those dns records not being available yet and that cname not being published so just note that if you get an error you may just have to wait a little bit longer depending on your dns registrar you have some type of propagation time you have after you create records so just note that that's everything i wanted to showcase for you guys in this episode on configuring spf dkim and dmarc records stay tuned for my next episode we'll be going through the attack simulation training functionality within microsoft's defender for office 365. thanks guys have a great day

Info

Channel: T-Minus365

Views: 23,586

Rating: undefined out of 5

Keywords:

Id: r-Qz52BUL6E

Channel Id: undefined

Length: 5min 43sec (343 seconds)

Published: Thu Nov 11 2021