Three Steps to Improve Your Email Security
Phishing and spam email are a pain to deal with. While you may never be completely rid of them in the modern communication age, there are steps you can take to reduce the ability for hackers and scammers to send emails that appear to be coming from your email domain (i.e., spoofing).
These three steps are available on the majority of email platforms in use and are relatively simple to implement. That being said, this walkthrough is specific to Microsoft’s Office 365 platform and Amazon’s Route53 DNS service.
Step 1 – Configure Domain Keys Identified Mail (DKIM)
DKIM is a standard email authentication technique that allows the recipient to validate that an email was indeed sent and authorized by the owner of the email domain in question. All this is accomplished through the digital signing of emails for an approved domain. This DKIM signature is a header that is added to the message and is additionally secured using encryption.
For each custom domain name you send email from, you will need to create two CNAME records with your DNS service:
selector1- EXAMPLE -com._domainkey. EXAMPLE.onmicrosoft.com
selector2- EXAMPLE -com._domainkey. EXAMPLE.onmicrosoft.com
Log into your DNS service (in this example, Amazon Route53).
If you don’t already have a CNAME record created for DKIM, use the following as an example to create your first record. Create a second one based on the guidance provided in the image above.
Make sure to set the TTL to ‘3600’ (not the ‘300’ in the example).
Next, you need to enable DKIM signing in Office 365. Start by logging onto 0ffice 365 with an administrator account. Click on the Navigation button in the corner (highlighted below) and then click on ‘Admin’.
Click on ‘Exchange’.
Click on ‘dkim’ under the ‘protection’ category.
Next, click on your domain name, ensure the Domain Type is ‘Authoritative’, then click on ‘enable’ to the right.
Alright, Step 1 completed!
Step 2 – Sender Policy Framework (SPF)
Sender Policy Framework is an email-authentication technique which is used to prevent unauthorized systems from sending emails that look like it comes from your domain. Organizations can use SPF to publish authorized email servers. When SPF is used along with DMARC (Step 3), email recipients are provided with information on how trustworthy the sender of an email is.
The good news is that if you are with Office 365 for email, the SPF record should already be in place. If you use an email phishing test service (or a Delap Managed Security Service customer), then you may need an additional item added to your TXT record such as seen below. Note: You modify these settings on your DNS service host.
SPF Value: v=spf1 include:spf.protection.outlook.com -all include:_EXAMPLE.com ~all
If you have any third parties that send email on your behalf (think HubSpot, WordPress, etc.), you will need to add them to your SPF record. You can also add approved IP addresses using the following format:
Step 3 – Domain-based Message Authentication, Reporting & Conformance (DMARC)
DMARC TXT Record Contents
“v=DMARC1; p=none; rua=mailto:USER@EXAMPLE.com;”
This record configures an email account that would be used to receive DMARC reports to assess how ready your organization is to enable a DMARC quarantine policy. Ensure that a valid email is used. The following example uses Agari’s DMARC service, but you can also use the free tool from Postmark (https://dmarc.postmarkapp.com/) to receive aggregated DMARC reports on a weekly basis.
“v=DMARC1; p=none; sp=none; aspf=r; adkim=r; pct=100; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org;”
When you believe that all or most of your legitimate traffic is protected by SPF and DKIM, and you understand the impact of implementing DMARC, you can implement a quarantine policy. A quarantine policy is a DMARC TXT record that has its policy set to quarantine (p=quarantine). By doing this, you are asking DMARC receivers (email recipients) to put messages from your domain that fail DMARC into the local equivalent of a spam folder instead of your customers’ inboxes.
p=policy – Where p=none means no action taken, p=quarantine means DMARC fails are quarantined, p=reject means email rejected
Alternatively, Agari created a slick tool you can use to lookup your DMARC record to generate the proper DMARC values to create for your environment.
Once all three steps are completed, you can use the following site to test your DMARC, DKIM, and SPF configuration to ensure everything is setup properly.
The underlined links above are where the respective tools are located from DMARC Analyzer.
For more security tips, check out our related articles: