Microsoft 365 Email Security: Configuring SPF, DKIM, DMARC and Defender for Office 365

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
If you're using Gmail or Google Workspace, migrate to Microsoft 365. Sorry, not sorry. Google Workspace, G Suite, whatever is calling itself these days is a terrible business email platform. What's up, everyone? My name is Terry and this is my lab. Today we're talking about email security. I feel like every time that I open up Reddit, I see a post on all the system admin related subreddits asking about SPF DKIM DMARC Spam filters, etc. It's a daily occurrence. Then when I go to YouTube, there's always a video on my recommended field of my channel got hacked. This is how it happened or something along those lines most notably was Last Media Group. They recently had three channels compromised and you might be saying to yourself, Terry, why are we talking about YouTube and email security in the same breath at the end of the day? The root cause of that is email security. For the YouTubers. It was a bad email with a bad tag and came in and took over their browser session cookies that had for the channel and took it down. So if SPF DKIM and DMARC sound more like sunscreen, Chinese food and Denmark too, then stay tuned. We'll break it all down and configure a spam filter. The unofficial first step is if you're using Gmail, Google Workspace, migrate to Microsoft 365. Sorry, not sorry, Google Workspace, G Suite, whatever is calling itself these days because a terrible business email platform migrate now solve half your problems right off the back. Originally the argument for Google Workspace was It was cheaper than Microsoft, so you would save money at scale, which if you look at licensing today, that's not even a factor anymore. It's the same price regardless. But with Microsoft, you have more features. Along with that, there is a misconception that if you want to have a YouTube channel, you have to use Gmail for the email. That is a 100% completely wrong. You just have to have a Google account and then you can log in and get to AdSense, YouTube, Google Trends, etc. It's just you won't have email through Google, which is a good thing because it's a terrible platform. All right. Rant over before we dive into it. How is your email set up right now? Are you using Gmail with a personal email account? Do you have Microsoft 365 How you can figure to spam filter Haven't configured these DNS records. Let me know down below and if I can be helpful to properly secure your environment. Your environment needs four things SPF record DKIM records, DMARC records and upgraded or third party spam filter. The first three tell the world where your legitimate email comes from and what to do with it. The last one protects you from the rest of the world, the rest of the internet. I'm assuming at this point that you already have a microsoft 365 tenant configured and sending and receiving email at least on the default domain they provide you. If not, I have a two part video series already recorded about how to do that. I'll link it either up here or you're definitely down in the description and start with the SPF record because it comes with the out of the box configuration, the sender policy framework or SPF record. This is effectively like a billboard saying this is where my email comes from. And if you get an email from me that didn't come from here, scrutinize it heavily. Most email platforms, Microsoft included, will generate the base record for you automatically when you sign up. It basically says, Hey, email comes from here and you just have to copy and paste it. If you use a third party service like a CRM or your web hosting that also sends email on your behalf, you will have to update the record with those services details. As you can see, for my record here, I have an IP address listed in it. This is the IP address of my website because it does send email notifications out. If you're uncomfortable with building a record manually, there are multiple online SPF record builders that you just collect all the information for your services, throw it into there, it spits out a record you can copy and paste. DKIM or DomainKey Identified Mail uses digital signatures to do some email validation magic. Essentially, once you turned on exchange online creates a key pair. The private key is stored in exchange online and used to encrypt the email message header. When you go to send an outbound email, the public key is stored as a text file in your public DNS, so when the recipient's email server or spam filter receives your message, it uses the public key to decrypt the message. If the encryption is successful, then the spam filter knows that the message wasn't tampered with in transit. If it was unsuccessful, then it knows has been messed with and it's going to most likely reject it. Configuring DKIM is just as easy as configuring SPF. The easiest way to do it is to go to https://Security.Microsoft.com/DKIMv2and sign in with admin privileges for all of your domains, but select the domain you want to start with and turn it on. And then after that, basically you just have to copy and paste the two records that it provides here into your public DNS, which look at this looks like Microsoft Office window here, screwed up the formatting on it. So the hardest part of this whole thing here is if this happens to you, you just got to clean this formatting up in notepad as you can see I'm doing and then copy and paste it and you're done. Or at least move on to your next domain. But then you're done. That's all you have to do. DMARC or domain based message authentication, reporting and conformance works with DKIM and the SPF record. For whatever reason, as email technology has progressed over the years, to fields were created to denote where an email message comes from, the mail from field and the from field. By default, when a spam filter checks a message against the SPF record, it only checks the mail from field. When you enable dmarc DMARC will go check the firm field against the SPF record and then depending upon the outcome, if it is valid or not, will then process the email based off of what is specified in the Dmarc record. Similar to an SPF record, you can manually build a Dmarc record or you can use a web site to build it for you. I'm going to use the website to build it for me because there's a lot of fields that are optional and I wanted to just make sure all the syntax is correct. Once you go through and build the record, you just create a new text record that has the hostname of _dmarc and then paste the output from the website into the value and you're off and running. Now that we've got all of our records created and uploaded to our DNS servers, let's go visit Mark's Toolbox and make sure they are all reporting correctly. Can see I got my SPF record right here. I got both my keys for DKIM right here and here. And then following that, I have a DMARC record. Also, along with this, if you're going to use a third party spam filter, you're going to have to point your MX records to it. But for this last piece here with our spam filter, in this case, I'm going to use Defender for office 365, which means I don't have to change my MX record. Now that we have your email environment configured to show the world where your email comes from. Now is protect your email from the worm. If you're new to email administration or if you're a YouTuber that isn't tech focused, you might be asking, isn't the built in spam filter good enough? If you're good at something, never do it for free. No, it's not. Now, these compromises, they get around that for the vendors, Google, Microsoft, they all make upgrade products. There's third party products. Let's just dive into some licensing pieces here. Defender for Office 365 is a add on SKU. In most cases, the only Microsoft SKUs that it's included with is Microsoft E5 two. So the Top End one that includes everything. Otherwise there is two plans available. Plan one and plan two, plan one that will cover most people $2 per user per month. And then plan two allows you to do threat remediation, hunting and end to end investigation of an email breach and training simulation that is $5 per user per month and is also included with Microsoft E5 to enable defender for Office 365. All you have to do is purchase licensing or it's already turned on. If you have E5 licensing, the one advantage of using defender for office 365 is you don't have to update your DNS records to redirect mail. It's all in Microsoft's ecosystem. That part is already done. Once you have licensing, it will not do anything until you configure all these for it or if you buy E5, you're using a third party one. The service is turned on by isn't doing anything to enable the vendor for office. 365 We have to go into the security center and start creating policy. Once you're in there, go and read threat policies. You have two options. Either you can go through each one of these items line by line and configure it manually, or you can use the preset option and set a standard set of presets for all of them, all in one shotgun blast, depending upon where you're starting at. I would recommend two different things here. If you're in an existing email environment, maybe you had a third party email solution that like it's now you're using defender, but you have production email flowing at the time you're configuring this. Start with balanced and work your way up just so we can catch any female related things you may not know about. So you don't actually block login if you're and you're sitting in this environment as a greenfield thing where there's nothing existing, you don't have to worry about it. Then go to strict right off the bat and then just make sure everything's in line. Watch the logs. But if you don't have a previously configured, then you can go off to the highest levels and be good to go depending upon the organization. Your email security, you might have a mix of the balance preset. In the strict preset. It could be a situation where most of the employees are underneath balance, but then your C-level employees are underneath strict. It's just an ebb and flow on what does Microsoft do, how do you use email, how big the organization is and what your requirements are. I am configuring the balance preset and now I'm going to work my way up to working your way up to a more secure environment, really one pathway, one and a half technically. So there's two viewpoints that will give you recommendations from Microsoft on what to do to increase your security is your security score, which is just a subset of the high level items to make sure you have in place to protect yourself, gauge how you're doing overall. And then there's the configuration analyzer, which then will break down the balance preset in a strict preset and what you can do to ensure way up into a more secure, more protected environment. Let's go through the configuration analyzer first and then go through the secure score. With the configuration analyzer. You see a list of items here and you just go through them one by one. Most of them will get applied when you just check the box and say Apply policy. There's some of the antispam anti-phishing ones that you have to go through and set it manually or create a manager. But most of all the checkbox will just apply it and it is set as your new default. Setting the Security Center secure score is Microsoft's high level metric to be able to at a glance show how secure your environment is in this conversation. This covers more than just email and just defender for Office 365, but you can go in there and see what high level items that it has detected for your email environment and you can quickly knock those off to secure your environment further. In this case, it has detected four defender specifically that I do not have a safe links policy configured and if I do it it will raise my score by 4%. The main difference too, with a secure score versus the configuration analyzer is that the secure score doesn't do it for you. Got to manually go look at the implementation tab and go and configure it, which isn't the end of the world. It's just not a one click thing like the configuration analyzer. Furthermore, because the secure score covers the entire environment and every product is going to recommend options for you for other products outside of email and things, you probably don't have licensing for that. If you want to knock that item off the list, you'd have to upgrade your licensing with Microsoft. Obviously, review the stuff internally with the I.T. teams, security teams, etc. to see if you need it or if you're handling it in other ways and mark it as such. But the secure score is a high level holistic approach and things to do to make your environment more secure, whereas the configuration analyzer is specifically for defender for 365 and the policies with it. Lastly, before we end this video, you just made a bunch of changes to your email environment. You got to monitor it to make sure you didn't over configure some stuff and blocked legitimate email in IE on the report center. After you make changes if you're familiar with office 365, obviously there's some lag time between when the records appear and when things happen. But you know, if you make a change manager 24 or 48 hours, make sure everything is good, make another change, or, you know, ignore everything I just said and follow your security policy, whichever one applies to you. In that case, keep an eye on the reports So you know everything. This is quarantined, everything. This has failed. Those will tell you if it's working appropriately or if you over configured or if you missed something. But then beyond that, you are good to go. Thank you for watching this video. Again, this is a high level. How do you secure your environment? How do you protect yourself? How you protect your business or YouTube channel from being compromised if made this far? Thank you. Please consider giving me a thumbs up and subscriber and I covered a lot in a very short period of time here. So if you do have further questions or if you want my opinions about other email related items, please feel free to reach and leave a comment below. I'll do my best to answer it in a timely manner. Otherwise keep building. See you next time.
Info
Channel: TDSheridan Lab
Views: 7,257
Rating: undefined out of 5
Keywords: Configuring SPF, DMARC, How to configue Exchange Online Protection, How to configure DKIM, How to configure SPF, dkim, dkim record, dkim setup, dmarc explained, dmarc policy, dmarc record, dmarc record tutorial, dmarc setup, email security, email security best practices, how to configue exchange online protection, how to configure a spam filter, microsoft 365, office 365, office 365 email security, tdsheridan lab, tdsheridanlab, what is dmarc, what is dmarc?
Id: RZIPyg22XiY
Channel Id: undefined
Length: 14min 23sec (863 seconds)
Published: Mon Apr 24 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.