none
SPF, DKIM, DMARC? RRS feed

  • Question

  • We have been receiving a lot of spoofed and phishing emails lately and I’d like to see if I can do something about it on our Exchange 2013 Standard server and I have a couple of questions in doing so. 

    I’ve read on the web that if we setup a SPF record (which we do), DKIM, and a DMARC in our DNS record it should help. 

    1. If we were to add the DKIM and DMARC entries to our DNS what would be the con in doing it, if any?
    2. What would happen if an email comes from someone that doesn’t use SPF, DKIM, or DMARC? Would we receive the email or would it bounce back to the sender with an error?


    PennyM

    Wednesday, May 15, 2019 10:40 PM

Answers

  • 1. None.

    2. These measures are for mail sent from your domain, not into yours.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by Penny Miller Thursday, May 16, 2019 1:57 PM
    Thursday, May 16, 2019 2:13 AM
    Moderator

All replies

  • 1. None.

    2. These measures are for mail sent from your domain, not into yours.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by Penny Miller Thursday, May 16, 2019 1:57 PM
    Thursday, May 16, 2019 2:13 AM
    Moderator
  • Hi,

    Here are some information about SPF, DKIM and DMARC:

    SPF is a system to declare and verify who can send e-mails from a given domain. The receiving host checks if the sending host is allowed to send e-mails from the sender domain.

    DKIM is an e-mail authentication system based on asymmetric cryptographic keys. The sending host signs email body and/or headers with its private key. The receiving host verifies the signature, identifying if the fields are intact.

    DMARC is an e-mail authentication system that helps determining what to do when messages fail SPF or DKIM checks.

    We don't have to worry about if the sender uses SPF, DKIM, or DMARC. You can check this blog to learn more about how they work: DKIM/SPF/DMARC Verification and Authentication in Exchange Server - Tutorial

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, May 16, 2019 6:44 AM
    Moderator
  • 1. You can add that, however - adding a dmarc with p=reject or p=quarantine would be potentially bad for you if you failed the authentication on your emails. Also if you have partners sending on your behalf using your domains and they are not authenticating, their emails would be blocked. So add a dmarc with p=none and collect the reports in some suitable system and work to identify all the senders. Each external sender could then use a new subdomain which you would delegate to them allowing them to send as that new domain. Once you know your full mailflow you could go to a more invasive policy.

    2. Basically you decide. A non exising dmarc record is basically the same as p=none - you don't reject anything. But it is up to you to configure your gateway to hande spf, dkim and dmarc verification and then set the policy accordingly.

    Monday, October 21, 2019 1:52 PM
  • DMARC partly true - you're missing one very important thing. 

    Alignment. Yes you check spf and dkim but you also need to make sure that the header-from and envelope-from is matching OR the domain part from the dkim key (d=xxxxx) is aligned with your header-from. If any of these fails dmarc will not pass.

    Some times boolean expressions makes sense.

    [DMARC = TRUE] = [(SPF Auth = TRUE) AND (SPF Align = TRUE)] OR [(DKIM Auth = TRUE) AND (DKIM Align = TRUE)]

    SPF align means that mailfrom domain = Header From domain (or subdomain of)

    DKIM Align means d value in Signature = Header from domain (or subdomain of)

    Monday, October 21, 2019 1:56 PM