Microsoft 365 SPF, DKIM and DMARC; Improve Your Email Security!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in today's video we're going to talk about three settings in Microsoft 365 that can vastly increase your email security and willingly most companies who I come across are only using one now stay behind to the end because I'm going to give you a full demo on how to implement these settings into your Microsoft 365 before we start just a quick intro my name is Jonathan Edwards from a company called integral it we help businesses all over the world world with the Microsoft 365 and the cyber security now it's no secret that the majority of cyber attacks actually originate from email and it doesn't surprise me because so many people don't set up their email correctly and that is what today's video is all about we're going to go through three settings that you can Implement free of charge in Microsoft 365 that will increase the security of your email now throughout this video I just want you to to keep this analogy in mind you write a letter you put it into an envelope and you put it into a post box I know it seems a bit old fashioned but it's a really good way to understand what I'm about to show you now the first setting is called SPF that stands for sender policy framework the name isn't really important by adding an SPF record to your domain you're essentially telling people what email system that you're using so pretend I've got an email address which is Jonathan b365 guy.com and for my email I'm using Microsoft 365 I would go into my domain record for b365 guy.com and I would add Microsoft 365 as my SPF record I'll start sending email and when I send an email to someone their email server will look at where my email has come from in this case it's come from Microsoft 365 it will then perform a quick check a quick SPF check and it'll say where is this email supposed to come from and the answer is Microsoft 365 so because there's a match my email will pass the SPF so this is where we can start talking about that letter analogy I've wrote a letter and I've put it into an envelope and I've posted it to someone else when they receed that letter they can look on the back at the from address and they can see it's from me that's a little bit like SPF now SPF is where most businesses usually stop they implement it but they ignore the other two security settings so what are the other two security settings the next security setting is called gim and that stands for domain Keys identified mail but we don't need to remember that so I've sent that letter to someone and someone's received it and my name is on the front box on the back they know that envelope is from me but what about the contents what about the letter inside how do they know that someone hasn't tampered with my letter inside the envelope well this is where deim comes into play dkim uses digital signatures and if those digital signatures are verified it means the contents of that letter or the contents of the email haven't been tampered with so SPF and dkim work really well together with SPF we know that the envelope has come from me and with the addition of dkim we know the contents of that email or the contents of that letter haven't been tampered with well how do we go a step further well we implement the third security setting that is called Demar so for Demar you need to have SPF and DK already configured so what is dmat what is the analogy here so you've sent a letter in the post it's arrived at his destination now the person who receives that letter before they open it they give you a call hi I've got your letter but it's got no from address on the back and it might have been tampered with what should I do with it h if he's got no from on the address I would it might not even be from me so why you just throw it in the bin so dmark is a security setting that you can put on your email system it tells recip email servers what to do with email that perpetrates from being from you if it has no deim or SPF record attached so for example you could set it so if an email arrives at a recipient email server without a deacon record it should be rejected this is a really professional way to set up your email system you're showing the world that you take security really seriously so there's a theory on SPF d and Demar what I'm going to do now is jump on that computer behind me and give you a demo now a word of caution here I'm going to be playing with DNS records so don't jump in and do this on your own domain without due diligence first because you could stop email from working and we don't want that so the first setting we're going to talk about today is SPF now to configure that you're going to need access to a few things firstly you need access to the Microsoft 365 Global admin now you can tell that my account has admin rights here because I've got a little admin tab so I can launch that now this is just a test tant that I use for videos and things like that now if I go down to show all and we go to settings and then we talk about domains now I've also got a test domain it's called integral to it.co it's just a test the main as it status you can see it says incomplete setup the next thing you need access to at the same time is the DNS record for this domain so you can see I've got it here with the 1 two 3 R you can see manage DNS for this domain now these are all the DNS records okay now if I look at this domain and there's an online tool called MX toolbox.com SPF this is an SPF Checker so what you can do is simply type in a domain so it can be integral to .co.uk and it can do an SPF lookup and you can see that has failed so we know this doesn't have an SPF record in place okay so what we need to do if we go back to here and domains we click on the domain and then we click on continue setup and Microsoft is going to take us through the setup of adding the domain to Microsoft 365 and crucially making sure it's done correctly okay so we click on continue and then the screen where we add DNS records so we can scroll down here it's wanting three records so if I if I just expand these it's wanting an MX record that is for email deliverability it's wanting a c name which is for things like out of office and then this one here is the SPF so Microsoft is saying I want that in place if we could click on continue Microsoft will then perform perform a check on that DNS record to see what's in place if we then scroll down we can see we've got some green ticks here that means that record is in place we've got a tick there but we've got an exclamation mark here that is Microsoft telling us that this SPF is not in place so what we do is it's asking us to create a txt record so we go back to here and all DNS regist will be different but it's the same kind of thing so the type of record is not a c name it's a txt slsf so we click that then it's wanting a host name so if we go back here it basically tells us what to do so the name is this one here it's the at sign we can either type at or just click on there and it will copy we'll just paste that into there and then the destination if we go back to here is this one here so we click on copy because I don't want to type that out and then we go back onto here and we click add so that has been added to the domain record now what we can do is we can wait a few minutes this can this process can take hours it can take seconds what I'll do now is just click on continue to see if it's worked straight away there you go it has it's all worked nicely so I click on done and just go back to domains and you can see here now my domain is healthy so Microsoft had checked all the records check the SPF and it's happy that those are in place just to confirm that if I go back to here let's just do an SPF look up again and you can see we've got a nice green box now so that is all in place that is how you do the SPF side that is the easy bit the next record we're going to set up is the dkim so again we go back to the admin portal here we now go to the admin centers and we go to security okay once we're in here we want to scroll down to email and collaboration which is here and then policies and rules we then want to choose threat policies and then under rules you can see email authentication settings so we'll click on there and at the top there's Arc and there's dein so where I want in dein and you can see my domain is here so I'm just going to select this domain here and and at the moment it says no dkims have been saved for this domain so we simply click on here create dkims and now we have the entries that we need so what we do now we've got a host name and we've got a points to so we want to keep that on there I'm going to copy that and it might be easy if I just put this into a a notepad Okay launch the notepad and here we go so I'm going to highlight the host name here like this I'm going to copy that and I'm going to go back to my DNS the next type is a c name and we're going to copy that into the host name so it's selector one domain key and go back to my notepad again and then the address is this one here okay so we'll just highlight that again we'll copy it and we'll put that into destination and we'll click add okay that's added so we go back to my text document again the next one is here click on host name click on destination copy the selector two put that in there and then click on ADD so again it can take a few seconds it can take longer so now we've added those let's click on this disabled toggle here and then what Microsoft will do is just check check those C Name Records we've created now you can see it's generated an error that means Microsoft at the moment can't see these two cname records so what I'll do I'll click on okay I'll pause the video and I'll come back to it in about five minutes okay so I've waited a few minutes let's go back into the domain now we'll toggle this onto enabled and you can see that that has now enabled so we can click on okay so that's an enabled state so now at the bottom you can see a little buttons saying rotate DQ keys so how dkim works it works with public and private encryption keys so the recommended approach is that at least every six months you will come in here and you will rotate those encryption Keys that's all you have to do what that does is that just recreates the private key so it's good for security equally if you have a bit of a a Cyber attack or if you have a breach then come in here immediately and rotate those keys but for now for me that is deim all configured for our use so the third and final setting is called Demar now you can't have dmar without SPF and dkin but once you've got these in place you can move on to dmar so I've got another little text document open here again dmark can sound quite complicated but it doesn't have to so we've got to put another DNS record on our domain so here are some options okay so first we've got DeMark domain so I can change this to to my domain so that would be integral to it.co the TTL the time to live will always be an hour in seconds that's 3600 but the important bit is this here okay so what we're saying here the P here stands for policy so at the moment it's saying none so if I added this to my domain what I'm telling recipient mail servers is if you get an email from us that is missing an SPF or a dkim do nothing okay so this is the recommended approach if you're just getting started with D mark and you're just using it for testing use a policy of none the PCT is the percentage of emails so what we're saying is for 100% of our emails please don't do anything and you can see down here we change the domain here again so I'll just copy that enter here and copy that onto the domain the other policies just do it in its entirety so on nice and neat the other policies here we've got a policy of quarantine so we're saying to recipient mail servers if you get an email without deim or SPF please quarantine the email and the final one is reject it so and it's recommended you do it in this order start with a no policy monitor it then go into quarantine and then maybe go into reject there's also a fourth one here you can see that again the policy is none but it's now got an email address okay okay so what this is saying is every day please send an email like a security analyst email to this email address okay so what you will get if you're monitoring this domain is you will get some kind of security reporting to find out what is happening with dmar now this presumes assumes that you're managing dmar right from 365 which is fine so but what you've got to do is put the right DNS entry in so what I'm going to put in here I'm going to change this email address okay and I'm going to make this a we'll call it service desk at integral to it.co so reports will be sent to this email address okay this could be a service desk it could be a cyber security analyst within your business also the policy at the moment is set to none so I would just set this at reject um it's not advisable to start with reject it's advisable to start with none but this is just for demonstration purpose es okay what we need is this bit here theore D mark we go back to our DNS we want an SPF we put that as the host name and then in destination we copy this it's this bit here so it's the ears and everything in between we copy that and we paste that into here once that DNS entry has been added we just need to wait 5 or 10 minutes for it to kick in so I'll just pause the video and I'll pop back back shortly okay I've given that a few minutes now there's a couple of tools that I can use online to test that our dmark is in place and working there's the old MX toolbox.com which is very good for things if I just type in there our domain uh and click on Dart lookup you can see everything is in place there there's also another tool that I want to talk to you about uh that is called valy mail now this links nicely with Mark moft 365 I'll talk about it more in a minute but that's also got a like a Demar Checker so again if I plug my domain into here and click check the main you can see that we are protected so that's how you do Demar now just a little bit about valy mail it's a third party tool and you can use it to manage your dmark so it's really quite helpful if you just go to here you can see for examples you you would load all your domains into here and then what you would do is go into settings and what you can do is create various alerts so you got some alerts here uh if a new service detected if the suspicious sending you can click on there lot add a custom alert and what you can do is you can get the weekly alerts you can get the daily alerts so it's just a third party tool Valley mail it's very good especially if you're managing multiple Microsoft 365 tenants so that is it that is SPF that is dkim and that is dmac so I hope you've enjoyed this video I hope you see the value of PF deim in Demar and they're all free of charge so get implementing them today I look forward to seeing you again soon

Info

Channel: Jonathan Edwards

Views: 39,969

Rating: undefined out of 5

Keywords: microsoft 365 setup, microsoft 365 admin center, how to configure SPF, DMARC, DKIM, cyber security, cybersecurity for beginners, email security, email send, dns settings, 123 reg

Id: sJ-5URX19d4

Channel Id: undefined

Length: 17min 37sec (1057 seconds)

Published: Fri Nov 17 2023