Setting SPF, DMARC, and DKIM Exchange Online
There are so many method to increase your mail delivery reputation. Better reputation means smaller chance your mail marked as spam or rejected by mail-filter server or by MTA during mail transfer. Most common way to increase mail reputation is using SPF Record, DMARC record, and create DKIM. How to setup on Microsoft365 (formerly Office365) Exchange Online? SPF Record and DMARC record way more easy since SPF and DMARC setup mostly “only” need you to configure TXT record on your DNS Record. Different way, DKIM a bit more complicated since DKIM need “DomainKey” and add some digital signature in your mail so other MTA can verify that your mail is authorized by domain owner.
Most easy explanation about how this triple-combo work is analogue with you send a letter from your home to your friend far away.
SPF state through your DNS Record that your home (your.mail.server) address is A. Something like, “Hello everyone. If you receive letter from sender with my name (X, your.domain) from my address (A, your.mail.server), then that is from me. Else, do not trust these mail”. So your friend address (B, your.friend.server) can easily check a letter he/she received should be trusted or rejected by checking sender (X, your.domain) and from address (A, your.mail.server), if both of them match, then mail should be trusted and forward this mail to your friend (Y, your.friend.inbox).
DKIM is more advance. Everytime you (X, your.domain) send a letter from your home (your.mail.server) there is a secret stamp to seal the envelope. If any of your friends receive a mail with your name (X, your.domain), they can check and verify your seal and stamp by match-checking stamp with secret DomainKey to make sure that this mail is come from you and unaltered. In thid DKIM scenario, there is some action should executed by your mail server (signing, stamp, and seal).
DMARC is different story. It is something like a suggestion to your friend server based on SPF and DKIM check result. So, you can give some suggestion options:
- If SPF is verified (pass) and DKIM is verified (pass), then I suggest mail should be trusted.
- If only SPF is verified (pass), then I suggest mail should be trusted.
- If only SPF is verified (pass), then I suggest mail should be rejected.
- If only DKIM is verified (pass), then I suggest mail should be trusted.
- If only DKIM is verified (pass), then I suggest mail should be rejected.
- If only one of them is verified (pass), then I suggest mail should be trusted.
- If only one of them is verified (pass), then I suggest mail should be rejected.
- If none of them verified (all fail), then I suggest mail should be trusted.
- If none of them verified (all fail), then I suggest mail should be rejected.
Did you think that 1st and 7th suggestion is best options? Me too.
All of this possible scenario is reported periodically to some pool server to build database (ex: agari) and create report. This report somehow periodically used by spam-filter or firewall application.
So, you need to setup this triple-combo to achieve this best suggestion scenario. You can setup SPF and DMARC by only add some TXT on your DNS Record. Since Microsoft365 use spf.protection.outlook.com for their MTA, then you only add this full domain name on your SPF record. Also, this DMARC use 1st and 7th suggestion as mentioned above.
yourdomain.com. IN TXT "v=spf1 include:spf.protection.outlook.com -all" _dmarc.yourdomain.com. IN TXT "v=DMARC1; p=quarantine; sp=quarantine; adkim=s; aspf=s; fo=1; pct=80; ri=86400; rua=mailto:[email protected]; ruf=mailto:[email protected];"
That is how to add SPF and DMARC record. Next post will be covering about DKIM on Microsoft365 (previously Office365) ExchangeOnline.
Continue… Setup DKIM On Microsoft365 Through PowerShell
Image source: Letter Envelope Address from How to address an envelope (today.com)