Office 365 Email Protection with DKIM and DMARC

Introduction

Email spoofing is the most common challenge that every organization is facing in current digital world regardless of the size of the organization. Office 365 email protection with DKIM and DMARC helps organization to protect against spoofing that tend to have increased number of spam emails. DomainKeys Identified Mail (DKIM) and Domain-based Messaging and Reporting Compliance (DMARC) checks trusted authenticated sender to prevent untrusted senders from sending spoofed emails.

Inbound validation of DKIM and DMARC is supported in Office 365

What is DKIM?

Domainkeys Identified Mail (DKIM) is a method to validate a digitally signed messaged that appears in the DKIM Signature header in the message headers. It ties an email message to the organization responsible for the message.

Office 365 Email Protection with DKIM and DMARC

More details on DKIM can be found on TechNet.

What is DMARC?

Domain-based Messaging and Reporting Compliance (DMARC) is designed to protect email spoofing when the phisher has spoofed the 5322.From email address that is the email address displayed in email clients like outlook. Sender Policy Framework (SPF) protect the phisher to spoof the emails from 5321.MailFrom. DMARC catches the case that is more deceptive. DMARC results are stamped in authentication header of email.

DMARC evaluate both DKIM and SPF and ensure that the domain matches the domain in 5322.From address. SPF does not protect against 5322.From spoofed emails.

Q: Helo woodgrovebank.com
Q: Mail from: phish@phishing.contoso.com  <– 5321.MailFrom
Q: Rcpt to: astobes@tailspintoys.com
Q: data
Q: To: “Andrew Stobes” <astobes@tailspintoys.com>
Q: From: “Woodgrove Bank Security” security@woodgrovebank.com  <– 5322.From
Q: Reply-To: “Woodgrove Bank Security” <phish@phishing.contoso.com>
Q: Subject: Woodgrove Bank – Action required
Q: Greetings User,
Q: We need to verify your banking details. Please click the following link to accomplish this.
Q: http://short.url/woodgrovebank/updateaccount/12-121.aspx
Q: Thank you,
Q: Woodgrove Bank

The end user will see this information as below.

This email can pass SPF check if the phisher has published the SPF check for woodgrovebank.com but as we know the phisher has spoofed the email using 5321.MailFrom and DMARC will fail on this email. DMARC configurations are already in place in Office 365 for inbound emails and you don’t have to configure anything. In next blog article, we will look into how we can configure DMARC for outbound emails in Office 365.

For more information on office 365 email protection with DKIM and DMARC, please go through the following posts.

Customized Office 365 OWA URL

When you are working with your customers to transition them to Office 365One of the most important ask is to have customized Office 365 OWA URL to ease end users and have them not to remember something that is not related or company branded like outlook.office.com. I received these type of requests almost on all of my engagements when customers are moving to Office 365 from on-premises messaging environment to Office 365 or a 3rd party messaging system.

This blog post is not applicable when you have Exchange hybrid deployment. Exchange hybrid deployment has a lot of different things and scenario’s.

Office 365 OWA can be accessed by users by visiting the known URL of Office 365 i.e. http://portal.office.com and click on the Outlook icon to access the mails in Office 365. Users can also access their emails on OWA by visiting http://outlook.office.com URL but for users to have it customized Office 365 OWA URL to visit for accessing the emails is something that can be company branded like mail.msexperttalk.com?

In order to setup the OWA URL redirection for your organization’s customized Office 365 OWA URL, you need to create a CNAME entry in your public DNS to point to outlook.office.com. 

Create CNAME record with the name of Mail and point it to outlook.office.com 

Once the CNAME records are in place for both public and private DNS of the company, your users now can access OWA by using customized Office 365 OWA URL by visiting http://mail.domain.com and in my case it’s http://mail.msexperttalk.com. You can visit the Office blog site to see the details of other DNS records requirements for Office 365.

 

Troubleshooting Office 365 Room Mailbox Permission Issue

Introduction

Recently, working with an enterprise customer, we came across an issue where Office 365 room mailbox permissions were not being applied correctly. Most of the time after we assign permission to a Room Mailbox in Office 365 the permissions were not synchronized correctly to outlook clients. We worked with Microsoft support for this issue but it seems to be a product “bug” but i cannot confirm this or it seems like PowerShell is the way to trust when working with workloads in Office 365. Troubleshooting Office 365 room mailbox permissions issue requires me to perform all level of testing and troubleshooting to ensure everything is in place but it wasn’t working properly. During the troubleshooting, we reassigned the permissions to a user on room mailbox via exchange online powershell and appropriately that seems to be working without any issue. 

Troubleshooting Office 365 Room Mailbox Permission Issue

Working with Office 365, when you assign a user permission to room mailbox so that the user can add the mailbox to outlook client and can create appointments, During the process of adding a room mailbox to outlook client, we were prompted with the following error message.

The workaround for this issue that worked for us in our scanerio was to remove the permissions and reassign the permissions using powershell. To assign the permissions using powershell, perform the following steps.

Troubleshooting Office 365 Room Mailbox Permission Issue

  • Retrieve the permissions being assigned to room mailbox using powershell

C:\> Get-MailboxFolderPermission -Identity confroom@msexperttalk.com:\Calendar

Troubleshooting Office 365 Room Mailbox Permission Issue

  • As you can see that i do not have the permissions to Calendar folder. Run the following cmdlet to assign permissions on calendar folder

C:\> Add-MailboxFolderPermission -Identity confroom@msexperttalk.com:\Calendar -User rjbutt@msexperttalk.com -AccessRights Owner

Troubleshooting Office 365 Room Mailbox Permission Issue

Re-run the Get-MailboxFolderPermission cmdlet to verify the permissions are being assigned to the user.

Troubleshooting Office 365 Room Mailbox Permission Issue

Once it’s done, restart outlook client  and the permissions will start synchronizing and the user will be able to create/edit/delete calendar appointments to the conference room mailbox. The issue that i had faced could be due to some back end issues with Exchange online and I do not recommend that this could be the issue with all deployments but i have seen much more success with PowerShell as compared to GUI and i always recommend to leverage Powershell over GUI.

Setting up Room Finder in Office 365 using Room list

Introduction to Room List

Setting up room finder in Office 365 using room list is required when you are migrating to Office 365 from a non-exchange platform or you are using Office 365 in your organization. Setting up Room finder in Office 365 using Room list feature is also available in on-premises exchange version as well. Based on your organization requirements, it could be possible that the users users may be used to of looking up conference rooms by checking all rooms available to them and then picking the room they want depending on which ones are available. In Office 365, they will be using Room Mailboxes to schedule meetings in conference rooms, auditorium, labs or other facilities.

By default, users cannot see all the rooms unless they pick them

Outlook client will show all the rooms and all conflicts, but to empower your users and let them see only the rooms that are available for the time when they’re looking at scheduling a meeting to improve user productivity requires you to setup Room Finder for Microsoft Office Outlook by leveraging Room List Distribution Groups.

What is Room Finding with Room Lists?

Room Finder simplifies the process of searching for an available room while setting up a meeting. Instead of adding all possible conference room to a meeting request and using the Scheduling Assistant to identify available rooms, meeting organizers can use Room Finder to show a room list, see suggested times, and choose an available room.

Setting up Room Finder in Office 365 using Room list

Setting up Room Finder in Office 365 using Room list

  • Create Room List Distribution Groups by running the following PowerShell cmdlet

C:\> New-DistributionGroup -Name “Conference Rooms” –PrimarySmtpAddress “ConfRooms@msexperttalk.com” –RoomList

Setting up Room Finder in Office 365 using Room list

  • Get a list of all room mailboxes in your organization by running the following PowerShell cmdlet

C:\> Get-Mailbox -RcipientTypeDetails RoomMailbox

Setting up Room Finder in Office 365 using Room list

  • To filter your room mailboxes based on office location, run the following PowerShell cmdlet

C:\> C:\> $HQConfRoom = Get-Mailbox -RecipientTypeDetails RoomMailbox -Filter {Office -eq ‘HQ’} | select -ExpandProperty Alias

Setting up Room Finder in Office 365 using Room list

  • Add existing Room Mailboxes to Room List Distribution Groups by running the following PowerShell cmdlet

C:\>  $HQConfRoom |

Add-DistributionGroupMember -Identity “Conference Rooms”

Setting up Room Finder in Office 365 using Room list

  • To get a list of distribution group members, run the following powershell cmdlet

C:\> Get-DistributionGroupMember -Identity “Conference Rooms” | ft Name, PrimarySMTPAddress, Office -AutoSize

Setting up Room Finder in Office 365 using Room list

Outlook will automatically detect Room List Distribution Groups and populates the Room Finder with room lists in outlook when an end user is setting up a meeting.

End user experience with Room Finding when Room Lists are Setup

Without room lists, end users are required to manually look for a list of available rooms and select a room based on availability. Room lists will empower end user and provide options to end user based on time selected. When a end user setup a meeting in outlook client, followings steps will be performed with Room lists being setup in the organization.

  • Open Outlook
  • Start a new meeting
  • Invite a few people to your new meeting
  • Pick a time
  • Click on room finding if it is not open already

Setting up Room Finder in Office 365 using Room list

  • In the drop down pick a room list that has conference rooms in it

Setting up Room Finder in Office 365 using Room list

  • Outlook will now search all the rooms in the room list for the time use has selected and present with suggested times for any rooms available. If a room is not available then it will not show up in the list
  • In Choose an Available room: pick the room you want and hit send to schedule a meeting

Please note that at the current release of Office 365, room lists are only visible with PowerShell. They do not show up in the EAC. You have to run the PowerShell commands listed above to see them and add members to them.

This should save your administrators and executive assistants time when planning and scheduling conference rooms in environments where there are abundant conference rooms and recurring meetings.

Whitelist Senders and domains in office 365 to bypass Spam filters

Introduction

Office 365 provides  number of tools to maximize the security to secure corporate information based on unique business and technical needs. When built-in Office 365 filters over qualify suspected SPAM, there are a few simple steps administrators can take to whitelist senders and domains in Office 365 to bypass spam filters. It can be a bad experience for end users when legitimate email is being quarantined or blocked as spam and landing in a quarantine folder.

It’s recommended that you being an admin should review your filters so that critical messages bypass the spam folder and reach their intended recipients

You can leverage a safe sender list or a custom transport rule to bypass spam filtering and prevent legitimate email messages from getting marked as junk. Marking a legitimate message incorrectly as spam by the spam filter is known as false positive.

Whitelist Senders and Domains in Office 365

To whitelist senders and domains in office 365 to bypass the spam filter requires you to perform the following steps.

Whitelist Senders and domains in office 365 to bypass Spam filters

  • Scroll down to the bottom and expand “Allow List

Whitelist Senders and domains in office 365 to bypass Spam filters

 

  • Click on “Edit” button to add the Allow Sender and Allow Domain list

Whitelist Senders and domains in office 365 to bypass Spam filters

  • Once the users email address is added, click on button to add the users to the safe sender list

Whitelist Senders and domains in office 365 to bypass Spam filters

Emails from safe sender list users will not be checked for spam filters and be delivered to recipients

  • Once the safe sender list of users is configured, next step is to configure the safe sender domain list.
  • Click on “Edit” button to add domains to allowed domain list

Whitelist Senders and domains in office 365 to bypass Spam filters Whitelist Senders and domains in office 365 to bypass Spam filters

  • Once the domains are added, emails from these domains will not be checked by spam filters and delivered to users

It’s important to understand that when you add a safe user or domain to the list, you must know the user or domain is legitimate and will not send you a spam email that can harm business operations. Mostly these lists are being configured for business partners or internal applications when sending an email leveraging another media to deliver the emails to mailboxes hosted on Office 365 or systems leveraging exchange online protection to scan the emails before those are being delivered to end user mailboxes.

1 2