SPF \ DKIM \ DMARC

SPF Record: Sender Policy Framework (SPF) is an email validation record designed to
detect email spoofing. It provides a mechanism to allow receiving mail servers to check that
incoming mail from a domain comes from an authorized sender host. This can be customized
for your environments needs. (SPF check = Pass or Fail in message header | DNS record can
have ~ Softfail or Hardfail)
Sample elegantleaf.com SPF Record:

Name = (Same as Host)

Text = v=spf1 ip4: 23.96.123.26 include:spf.protection.outlook.com -all
Testing: http://mxtoolbox.com/spf.aspx

Notes: Caution SPF Record is important to mail flow before changing the SPF record in DNS
be sure to understand the implications as this impacts spoof emails, relayed emails, and
Spam Confidence level (SCL) classification upon email delivery.
Links: https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx |
http://www.openspf.org

DKIM Record: Domain Keys Identified Mail (DKIM) is designed to detect spoofing by
providing a mechanism to provide a digital signature included on email being sent outbound.
Upon email being received the digital signature is matched against a public key for the email
domain (in this case hosted by Office 365), this allows authorization through cryptographic
means (Signature and Public Key exchange = Pass or Fail in message header)
Sample Elegantleaf.com DKIM Record:

Type = CNAME
Name = selector1._domainkey
Link = selector1-elegantleaf-com._domainkey.nateswiftlive.onmicrosoft.com
Type = CNAME
Name = selector2._domainkey
Link = selector2-elegantleaf-com._domainkey.nateswiftlive.onmicrosoft.com
Testing: http://mxtoolbox.com/dkim.aspx

Notes: Within DKIM DNS record Link = _domainkey.tenantname.onmicrosoft.com(this will be

your o365 tenant domain, in the above example it is nateswiftlive.onmicrosoft.com)In
addition to the DKIM records, the mail domain must be enabled for DKIM signature signing in
Azure AD PowerShell: New-DkimSigningConfig DomainName <domainGUID>

Enabled $true OR New-DkimSigningConfig Identity <domainGUID> Enabled

$true OR Get-DkimSigningConfig |fl *selector*
Links: http://blogs.technet.com/b/eopinsights/archive/2015/11/02/outbound-dkim-in-office365.aspx | http://blogs.msdn.com/b/tzink/archive/2015/10/08/manually-hooking-up-dkimsigning-in-office-365.aspx | http://www.msexchange.org/articles-tutorials/office365/exchange-online/dkim-and-dmarc-office-365-part1.html | http://dkim.org

DMARC Record: Domain Based Message Authentication, Reporting and Conformance

(DMARC) is a validation system that detects spoofing and uses both SPF and DKIM. DMARC
coordinates the pass \ fail results for SPF and DKIM on the Domain in the FROM: header.
DMARC allows for actions to be taken on incoming email (p=none, p=quarantine, p=reject
both quarantine and reject result in a delivery to junk in Office 365) It also provides reporting
of actions taken on inbound email from other mail systems (Hotmail, Gmail, LinkedIn)
Sample elegantleaf.com DMARC Record: (*Turning on and reporting no action taken
p=none)

Type = TXT record

Name = _dmarc
Text = v=DMARC1; p=none; rua=mailto:test.spoof@elegantleaf.com; ruf=mailto:test.spoof@elegantleaf.com; fo=1;
pct=100
Testing: http://mxtoolbox.com/dmarc.aspx

Notes: Need to have SPF set correctly and DKIM set and enabled in office 365 before
DMARC works. Best strategy is to set p=none, after reporting and tweaking of SPF record,
then set p=quarantine and set pct=20 then pct=40, and so on adjusting the percentage of
emails scanned and adjusting the SPF accordingly to include mail relays or mail senders on
your behalf until 100 percentage scanned emails. Then set the p=reject once comfortable.
Links: https://dmarc.org/ | http://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarcin-office-365.aspx | http://www.msexchange.org/articles-tutorials/office-365/exchangeonline/dkim-and-dmarc-office-365-part2.html

Best practices: http://blogs.msdn.com/b/tzink/archive/2015/07/12/what-is-the-bestcombination-for-your-spf-record-dkim-record-and-dmarc-record.aspx

Next Steps:
1.
2.
3.
4.

Read above link

Change SPF record to ~all (Softfail)
Change DMARC record to p=quarantine
Adjust DMARC record pct=20 | eventually incrementing 20% as you are more
comfortable until you reach pct=100
5. Change DMARC record to p=reject
6. Get aggressive setup a EOP rule based using dmarc and on the mail header
authentication-results see an example here