Office 365 Email Protection with DKIM and DMARC

Introduction

Email spoofing is the most common challenge that every organization is facing in current digital world regardless of the size of the organization. Office 365 email protection with DKIM and DMARC helps organization to protect against spoofing that tend to have increased number of spam emails. DomainKeys Identified Mail (DKIM) and Domain-based Messaging and Reporting Compliance (DMARC) checks trusted authenticated sender to prevent untrusted senders from sending spoofed emails.

Inbound validation of DKIM and DMARC is supported in Office 365

What is DKIM?

Domainkeys Identified Mail (DKIM) is a method to validate a digitally signed messaged that appears in the DKIM Signature header in the message headers. It ties an email message to the organization responsible for the message.

Office 365 Email Protection with DKIM and DMARC

More details on DKIM can be found on TechNet.

What is DMARC?

Domain-based Messaging and Reporting Compliance (DMARC) is designed to protect email spoofing when the phisher has spoofed the 5322.From email address that is the email address displayed in email clients like outlook. Sender Policy Framework (SPF) protect the phisher to spoof the emails from 5321.MailFrom. DMARC catches the case that is more deceptive. DMARC results are stamped in authentication header of email.

DMARC evaluate both DKIM and SPF and ensure that the domain matches the domain in 5322.From address. SPF does not protect against 5322.From spoofed emails.

Q: Helo woodgrovebank.com
Q: Mail from: phish@phishing.contoso.com  <– 5321.MailFrom
Q: Rcpt to: astobes@tailspintoys.com
Q: data
Q: To: “Andrew Stobes” <astobes@tailspintoys.com>
Q: From: “Woodgrove Bank Security” security@woodgrovebank.com  <– 5322.From
Q: Reply-To: “Woodgrove Bank Security” <phish@phishing.contoso.com>
Q: Subject: Woodgrove Bank – Action required
Q: Greetings User,
Q: We need to verify your banking details. Please click the following link to accomplish this.
Q: http://short.url/woodgrovebank/updateaccount/12-121.aspx
Q: Thank you,
Q: Woodgrove Bank

The end user will see this information as below.

This email can pass SPF check if the phisher has published the SPF check for woodgrovebank.com but as we know the phisher has spoofed the email using 5321.MailFrom and DMARC will fail on this email. DMARC configurations are already in place in Office 365 for inbound emails and you don’t have to configure anything. In next blog article, we will look into how we can configure DMARC for outbound emails in Office 365.

For more information on office 365 email protection with DKIM and DMARC, please go through the following posts.

Leave a Reply

Your email address will not be published. Required fields are marked *