How to pass Microsoft’s email authentication requirements?

by DuoCircle

 

If your company’s mailboxes are in Exchange Online, Microsoft requires you to take email protection seriously. You are liable for protecting the integrity of email messages from senders in your domain. Your recipients should be confident enough to open emails from your domain, knowing you have already taken the measures to ward off phishing and spoofing attempts.

Email authentication is a set of standards that detect and prevent the delivery of emails sent by phishers and spoofers impersonating you or your employees. This blog will specifically discuss the four email security standards that Microsoft requires its users to implement in their mailboxes.

 

Microsoft’s requirements for sending emails

Here is what you need to consider if you regularly send emails from Microsoft Exchange Online-

 

spam folder

 

Sender Policy Framework (SPF)

SPF uses a TXT record that includes all the valid sources of mail from the MAIL FROM domain. It also consists of a way to instruct receiving mail servers on what to do if they get an email from an undefined source. You can set your SPF record to a Soft Fail to accept the message but place it in the spam folder, or a Hard Fail to reject the message outright.

However, there is a downside to SPF. Threat actors can manipulate SPF records because this protocol is based on the principle of only checking the MAIL FROM domain and not the domain the recipient sees in the From address. So, let’s say, an attacker registered their domain (example.com) and set up a valid SPF record for it. Now, they send emails from the example.com’s approved set of servers but use a completely different domain in the From address, such as examplebank.com. This way, the email passes SPF checks, even though it appears to be coming from a trusted bank, making it easier to trick people.

 

SPF breaks on forwarding

Another issue with SPF is that it doesn’t work when an authorized email is forwarded. This is because when another server forwards an email, SPF fails as that server isn’t listed in the original domain’s SPF record.

 

DomainKeys Identified Mail (DKIM)

DKIM ensures the email content is not altered in transit. It works by using a digital signature attached to the key elements of the message (including the ‘From’ address) and stored in the message header of every outgoing email. The receiving server then verifies that the signed elements of the message were not changed or tampered with in transit.

 

outgoing email

 

How does DKIM help SPF?

DKIM helps when SPF fails because it verifies whether the email content has been altered or not. Even if forwarding or shared MAIL FROM addresses break SPF, DKIM still works as its signature stays the same.

This way, DKIM proves the email is real, even when SPF can’t.

 

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DMARC uses SPF and DKIM to verify the alignment between the domains in the MAIL FROM and From addresses. Its main job is to instruct the receiving servers on what action to take on illegitimate emails sent on your behalf from your domain. You can choose one of the three actions

  • None: It treats such emails as usual.
  • Quarantine: It allows the email to enter the mailbox, but places it in the spam folder, so the recipient proceeds with caution. This is a more practical setting if you have just implemented DMARC, as it keeps your conversations relatively safer and unhampered in cases of false positives.
  • Reject: The email failing SPF and DKIM gets rejected by the receiving mailbox. This is the strictest setting, and hence not ideal if your emails often struggle with false positives with DMARC.

 

Authenticated Received Chain (ARC)

 

 

Legitimate servers that modify the message (such as adding an extra line) in transit can use ARC to preserve the original email authentication results when an email is forwarded. So, even if SPF breaks because of forwarding, ARC shows that the email passed SPF before being forwarded, helping receiving servers trust the message.

 

Best practices to meet the requirements effortlessly

Email authentication is not a one-time done-and-dusted job; it’s an ongoing process till the time your business is sending emails. So, here are the best practices that will help your domain stay in alignment with Microsoft’s requirements for Exchange Online users-

  1. Set up DMARC and ensure your SPF or DKIM record matches the domain in your ‘From’ address.
  2. Check that every tool or platform you use to send emails is included in your SPF record.
  3. Use DKIM for all outgoing emails to ensure that tampered emails are flagged.
  4. Instead of letting all tools use your main domain, give them subdomains like news.yourdomain.com for better control.
  5. Check if SPF, DKIM, and DMARC are correct and updated whenever you add or remove tools. Do this by auditing your DNS records and mail flows regularly.
  6. Monitor your DMARC reports to identify which emails are passing or failing, allowing you to resolve the issue before a threat actor exploits it to their advantage.
  7. Warm up new IPs and domains slowly by increasing the email sending volume.

 

Monitoring Your DMARC Reports

 

Maintain a low complaint rate; if too many people mark your emails as spam, your sender’s reputation will be harmed. 

Reach out to us to get started with SPF, DKIM, and DMARC. If your domain already has these protocols, but you need assistance with reconfiguration, we can help with that too. Whatever your need is, we can serve!

Pin It on Pinterest

Share This