If you're using Gmail or Google Workspace,
migrate to Microsoft 365. Sorry, not sorry. Google Workspace, G Suite,
whatever is calling itself these days is a terrible business
email platform. What's up, everyone? My name is Terry and this is my lab. Today we're talking about email security. I feel like every time that I open up
Reddit, I see a post on all the system admin related subreddits asking about SPF DKIM DMARC Spam filters, etc. It's a daily occurrence. Then when I go to YouTube,
there's always a video on my recommended field of my channel got hacked. This is how it happened or something
along those lines most notably was Last Media Group. They recently had three channels
compromised and you might be saying
to yourself, Terry, why are we talking about YouTube
and email security in the same breath at the end of the day? The root cause of that is email security. For the YouTubers. It was a bad email with a bad tag
and came in and took over their browser session cookies
that had for the channel and took it down. So if SPF DKIM and DMARC sound more like sunscreen, Chinese food
and Denmark too, then stay tuned. We'll break it all down
and configure a spam filter. The unofficial first step is
if you're using Gmail, Google Workspace,
migrate to Microsoft 365. Sorry,
not sorry, Google Workspace, G Suite, whatever is calling itself these days
because a terrible business email platform migrate now solve
half your problems right off the back. Originally the argument for Google
Workspace was It was cheaper than Microsoft,
so you would save money at scale, which if you look
at licensing today, that's not even a factor anymore. It's the same price regardless. But with Microsoft, you have more features. Along with that,
there is a misconception that if you want to have a YouTube channel,
you have to use Gmail for the email. That is a 100% completely wrong. You just have to have a Google account
and then you can log in and get to AdSense, YouTube,
Google Trends, etc. It's just
you won't have email through Google, which is a good thing
because it's a terrible platform. All right. Rant over
before we dive into it. How is your email set up right now? Are you using Gmail
with a personal email account? Do you have Microsoft 365
How you can figure to spam filter Haven't configured these DNS records. Let me know down below
and if I can be helpful to properly secure your environment. Your environment needs four things
SPF record DKIM records, DMARC records
and upgraded or third party spam filter. The first three tell the world
where your legitimate email comes from and what to do with it. The last one protects you from the rest
of the world, the rest of the internet. I'm assuming at this point
that you already have a microsoft 365 tenant
configured and sending and receiving email at least on the default domain
they provide you. If not, I have a two part video series
already recorded about how to do that. I'll link it either up here
or you're definitely down in the description and start
with the SPF record because it comes with the out of the box configuration,
the sender policy framework or SPF record. This is effectively like a billboard
saying this is where my email comes from. And if you get an email from me
that didn't come from here, scrutinize it heavily. Most email platforms, Microsoft included, will generate the base record for you
automatically when you sign up. It basically says,
Hey, email comes from here and you just have to copy and paste it. If you use a third party service
like a CRM or your web hosting that also sends email on your behalf, you will have to update the record
with those services details. As you can see, for my record here,
I have an IP address listed in it. This is the IP address of my website
because it does send email notifications out. If you're uncomfortable
with building a record manually, there are multiple online
SPF record builders that you just collect all the information for your services,
throw it into there, it spits out a record you can copy and paste. DKIM or DomainKey Identified Mail uses digital signatures
to do some email validation magic. Essentially, once you turned on exchange
online creates a key pair. The private key is stored
in exchange online and used to encrypt the email message
header. When you go to send an outbound email,
the public key is stored as a text file in your public DNS,
so when the recipient's email server or spam filter receives your message,
it uses the public key to decrypt the message. If the encryption is successful,
then the spam filter knows that the message
wasn't tampered with in transit. If it was unsuccessful,
then it knows has been messed with and it's going to most likely reject it. Configuring DKIM is just as easy
as configuring SPF. The easiest way to do
it is to go to https://Security.Microsoft.com/DKIMv2and sign in with admin privileges for all of your domains, but select the domain
you want to start with and turn it on. And then after that,
basically you just have to copy and paste the two records that it provides here
into your public DNS, which look at this looks like Microsoft Office window
here, screwed up the formatting on it. So the hardest part of this whole thing
here is if this happens to you, you just got to clean this
formatting up in notepad as you can see I'm doing and then copy
and paste it and you're done. Or at least move on to your next domain. But then you're done. That's all you have to do. DMARC or domain based message authentication,
reporting and conformance works with DKIM and the SPF record. For whatever reason, as email technology
has progressed over the years, to fields were created to denote
where an email message comes from,
the mail from field and the from field. By default,
when a spam filter checks a message against the SPF record,
it only checks the mail from field. When you enable dmarc
DMARC will go check the firm field against the SPF record
and then depending upon the outcome, if it is valid or not, will
then process the email based off of what is specified
in the Dmarc record. Similar to an SPF record,
you can manually build a Dmarc record or you can use a web site
to build it for you. I'm going to use the website
to build it for me because there's a lot of fields
that are optional and I wanted to just make sure
all the syntax is correct. Once you go through and build the record,
you just create a new text record that has the hostname of _dmarc
and then paste the output from the website into the value
and you're off and running. Now that we've got all of our records
created and uploaded to our DNS servers, let's go visit Mark's Toolbox and make sure they are
all reporting correctly. Can see I got my SPF record right here. I got both my keys for DKIM right here and here. And then following that,
I have a DMARC record. Also, along with this,
if you're going to use a third party spam filter, you're going to have to point your MX records to it. But for this last piece here with our spam
filter, in this case, I'm going to use Defender for office 365, which means
I don't have to change my MX record. Now that we have your email environment
configured to show the world where your email comes from. Now is protect your email from the worm. If you're new to email administration
or if you're a YouTuber that isn't tech focused, you might be asking, isn't
the built in spam filter good enough? If you're good at something,
never do it for free. No, it's not. Now, these compromises,
they get around that for the vendors, Google, Microsoft,
they all make upgrade products. There's third party products. Let's just dive into some licensing pieces
here. Defender for Office 365 is a add on SKU. In most cases,
the only Microsoft SKUs that it's included with is Microsoft E5 two. So the Top End
one that includes everything. Otherwise there is two plans available. Plan one and plan two, plan one that will
cover most people $2 per user per month. And then plan two allows you to do threat remediation,
hunting and end to end investigation of an email breach and training simulation
that is $5 per user per month and is also included with Microsoft
E5 to enable defender for Office 365. All you have to do is purchase licensing
or it's already turned on. If you have E5 licensing,
the one advantage of using defender for office 365 is you don't have to update
your DNS records to redirect mail. It's all in Microsoft's ecosystem. That part is already done. Once you have licensing,
it will not do anything until you configure all these for it
or if you buy E5, you're using a third party one. The service is turned on by isn't doing
anything to enable the vendor for office. 365 We have to go into the security center
and start creating policy. Once you're in there,
go and read threat policies. You have two options. Either you can go through
each one of these items line by line and configure it manually,
or you can use the preset option and set a standard set of presets
for all of them, all in one shotgun blast,
depending upon where you're starting at. I would recommend two different things
here. If you're in an existing email
environment, maybe you had a third party email solution
that like it's now you're using defender, but you have production email flowing
at the time you're configuring this. Start with balanced and work your way up just so we can catch any female
related things you may not know about. So you don't actually block login if you're and you're sitting
in this environment as a greenfield thing where there's nothing existing,
you don't have to worry about it. Then go to strict right off the bat and
then just make sure everything's in line. Watch the logs. But if you don't have a previously configured,
then you can go off to the highest levels and be good to go
depending upon the organization. Your email security, you might have a mix
of the balance preset. In the strict preset. It could be a situation where most of
the employees are underneath balance, but then your C-level employees
are underneath strict. It's just an ebb and flow on what does
Microsoft do, how do you use email, how big the organization is
and what your requirements are. I am configuring the balance preset
and now I'm going to work my way up to working your way up
to a more secure environment, really one
pathway, one and a half technically. So there's two viewpoints
that will give you recommendations from Microsoft on what to do to increase
your security is your security score, which is just a subset of the high level
items to make sure you have in place to protect yourself,
gauge how you're doing overall. And then there's the configuration
analyzer, which then will break down the balance preset in a strict preset
and what you can do to ensure way up into a more secure,
more protected environment. Let's go through the configuration analyzer first
and then go through the secure score. With the configuration analyzer. You see a list of items here
and you just go through them one by one. Most of them will get applied when you
just check the box and say Apply policy. There's some of the antispam
anti-phishing ones that you have to go through and set it
manually or create a manager. But most of all the checkbox will just apply it
and it is set as your new default. Setting the Security Center secure score is Microsoft's high level metric
to be able to at a glance show how secure your environment
is in this conversation. This covers more than just email
and just defender for Office 365, but you can go in there and see what high
level items that it has detected
for your email environment and you can quickly knock those off
to secure your environment further. In this case,
it has detected four defender specifically that I do not have a safe
links policy configured and if I do it
it will raise my score by 4%. The main difference too,
with a secure score versus the configuration analyzer is that
the secure score doesn't do it for you. Got to manually go
look at the implementation tab and go and configure it,
which isn't the end of the world. It's just not a one click thing
like the configuration analyzer. Furthermore,
because the secure score covers the entire environment and every product is going to recommend options for you
for other products outside of email and things, you
probably don't have licensing for that. If you want to knock that item off
the list, you'd have to upgrade your licensing
with Microsoft. Obviously, review the stuff
internally with the I.T. teams, security teams, etc.
to see if you need it or if you're handling it
in other ways and mark it as such. But the secure score is a high level
holistic approach and things to do to make your environment
more secure, whereas the configuration analyzer is specifically for defender
for 365 and the policies with it. Lastly, before we end this video,
you just made a bunch of changes to your email environment. You got to monitor it
to make sure you didn't over configure some stuff and blocked legitimate
email in IE on the report center. After you make changes
if you're familiar with office 365, obviously there's some lag time
between when the records appear and when things happen. But you know, if you make a change manager
24 or 48 hours, make sure everything is good,
make another change, or, you know, ignore everything I just said and follow your security policy,
whichever one applies to you. In that case, keep an eye on the reports
So you know everything. This is quarantined,
everything. This has failed. Those will tell you if it's working
appropriately or if you over configured or if you missed something. But then beyond that, you are good to go. Thank you for watching this video. Again, this is a high level. How do you secure your environment?
How do you protect yourself? How you protect your business or YouTube channel from being compromised
if made this far? Thank you. Please consider giving me a thumbs up and subscriber
and I covered a lot in a very short period of time here. So if you do have further questions or
if you want my opinions about other email related items, please feel free to reach
and leave a comment below. I'll do my best to answer it
in a timely manner. Otherwise
keep building. See you next time.
