Office 365 Email Protection with DKIM and DMARC

Introduction

Email spoofing is the most common challenge that every organization is facing in current digital world regardless of the size of the organization. Office 365 email protection with DKIM and DMARC helps organization to protect against spoofing that tend to have increased number of spam emails. DomainKeys Identified Mail (DKIM) and Domain-based Messaging and Reporting Compliance (DMARC) checks trusted authenticated sender to prevent untrusted senders from sending spoofed emails.

Inbound validation of DKIM and DMARC is supported in Office 365

What is DKIM?

Domainkeys Identified Mail (DKIM) is a method to validate a digitally signed messaged that appears in the DKIM Signature header in the message headers. It ties an email message to the organization responsible for the message.

Office 365 Email Protection with DKIM and DMARC

More details on DKIM can be found on TechNet.

What is DMARC?

Domain-based Messaging and Reporting Compliance (DMARC) is designed to protect email spoofing when the phisher has spoofed the 5322.From email address that is the email address displayed in email clients like outlook. Sender Policy Framework (SPF) protect the phisher to spoof the emails from 5321.MailFrom. DMARC catches the case that is more deceptive. DMARC results are stamped in authentication header of email.

DMARC evaluate both DKIM and SPF and ensure that the domain matches the domain in 5322.From address. SPF does not protect against 5322.From spoofed emails.

Q: Helo woodgrovebank.com
Q: Mail from: phish@phishing.contoso.com  <– 5321.MailFrom
Q: Rcpt to: astobes@tailspintoys.com
Q: data
Q: To: “Andrew Stobes” <astobes@tailspintoys.com>
Q: From: “Woodgrove Bank Security” security@woodgrovebank.com  <– 5322.From
Q: Reply-To: “Woodgrove Bank Security” <phish@phishing.contoso.com>
Q: Subject: Woodgrove Bank – Action required
Q: Greetings User,
Q: We need to verify your banking details. Please click the following link to accomplish this.
Q: http://short.url/woodgrovebank/updateaccount/12-121.aspx
Q: Thank you,
Q: Woodgrove Bank

The end user will see this information as below.

This email can pass SPF check if the phisher has published the SPF check for woodgrovebank.com but as we know the phisher has spoofed the email using 5321.MailFrom and DMARC will fail on this email. DMARC configurations are already in place in Office 365 for inbound emails and you don’t have to configure anything. In next blog article, we will look into how we can configure DMARC for outbound emails in Office 365.

For more information on office 365 email protection with DKIM and DMARC, please go through the following posts.

Customized Office 365 OWA URL

When you are working with your customers to transition them to Office 365One of the most important ask is to have customized Office 365 OWA URL to ease end users and have them not to remember something that is not related or company branded like outlook.office.com. I received these type of requests almost on all of my engagements when customers are moving to Office 365 from on-premises messaging environment to Office 365 or a 3rd party messaging system.

This blog post is not applicable when you have Exchange hybrid deployment. Exchange hybrid deployment has a lot of different things and scenario’s.

Office 365 OWA can be accessed by users by visiting the known URL of Office 365 i.e. http://portal.office.com and click on the Outlook icon to access the mails in Office 365. Users can also access their emails on OWA by visiting http://outlook.office.com URL but for users to have it customized Office 365 OWA URL to visit for accessing the emails is something that can be company branded like mail.msexperttalk.com?

In order to setup the OWA URL redirection for your organization’s customized Office 365 OWA URL, you need to create a CNAME entry in your public DNS to point to outlook.office.com. 

Create CNAME record with the name of Mail and point it to outlook.office.com 

Once the CNAME records are in place for both public and private DNS of the company, your users now can access OWA by using customized Office 365 OWA URL by visiting http://mail.domain.com and in my case it’s http://mail.msexperttalk.com. You can visit the Office blog site to see the details of other DNS records requirements for Office 365.

 

Troubleshooting Office 365 Room Mailbox Permission Issue

Introduction

Recently, working with an enterprise customer, we came across an issue where Office 365 room mailbox permissions were not being applied correctly. Most of the time after we assign permission to a Room Mailbox in Office 365 the permissions were not synchronized correctly to outlook clients. We worked with Microsoft support for this issue but it seems to be a product “bug” but i cannot confirm this or it seems like PowerShell is the way to trust when working with workloads in Office 365. Troubleshooting Office 365 room mailbox permissions issue requires me to perform all level of testing and troubleshooting to ensure everything is in place but it wasn’t working properly. During the troubleshooting, we reassigned the permissions to a user on room mailbox via exchange online powershell and appropriately that seems to be working without any issue. 

Troubleshooting Office 365 Room Mailbox Permission Issue

Working with Office 365, when you assign a user permission to room mailbox so that the user can add the mailbox to outlook client and can create appointments, During the process of adding a room mailbox to outlook client, we were prompted with the following error message.

The workaround for this issue that worked for us in our scanerio was to remove the permissions and reassign the permissions using powershell. To assign the permissions using powershell, perform the following steps.

Troubleshooting Office 365 Room Mailbox Permission Issue

  • Retrieve the permissions being assigned to room mailbox using powershell

C:\> Get-MailboxFolderPermission -Identity confroom@msexperttalk.com:\Calendar

Troubleshooting Office 365 Room Mailbox Permission Issue

  • As you can see that i do not have the permissions to Calendar folder. Run the following cmdlet to assign permissions on calendar folder

C:\> Add-MailboxFolderPermission -Identity confroom@msexperttalk.com:\Calendar -User rjbutt@msexperttalk.com -AccessRights Owner

Troubleshooting Office 365 Room Mailbox Permission Issue

Re-run the Get-MailboxFolderPermission cmdlet to verify the permissions are being assigned to the user.

Troubleshooting Office 365 Room Mailbox Permission Issue

Once it’s done, restart outlook client  and the permissions will start synchronizing and the user will be able to create/edit/delete calendar appointments to the conference room mailbox. The issue that i had faced could be due to some back end issues with Exchange online and I do not recommend that this could be the issue with all deployments but i have seen much more success with PowerShell as compared to GUI and i always recommend to leverage Powershell over GUI.

Setting up Room Finder in Office 365 using Room list

Introduction to Room List

Setting up room finder in Office 365 using room list is required when you are migrating to Office 365 from a non-exchange platform or you are using Office 365 in your organization. Setting up Room finder in Office 365 using Room list feature is also available in on-premises exchange version as well. Based on your organization requirements, it could be possible that the users users may be used to of looking up conference rooms by checking all rooms available to them and then picking the room they want depending on which ones are available. In Office 365, they will be using Room Mailboxes to schedule meetings in conference rooms, auditorium, labs or other facilities.

By default, users cannot see all the rooms unless they pick them

Outlook client will show all the rooms and all conflicts, but to empower your users and let them see only the rooms that are available for the time when they’re looking at scheduling a meeting to improve user productivity requires you to setup Room Finder for Microsoft Office Outlook by leveraging Room List Distribution Groups.

What is Room Finding with Room Lists?

Room Finder simplifies the process of searching for an available room while setting up a meeting. Instead of adding all possible conference room to a meeting request and using the Scheduling Assistant to identify available rooms, meeting organizers can use Room Finder to show a room list, see suggested times, and choose an available room.

Setting up Room Finder in Office 365 using Room list

Setting up Room Finder in Office 365 using Room list

  • Create Room List Distribution Groups by running the following PowerShell cmdlet

C:\> New-DistributionGroup -Name “Conference Rooms” –PrimarySmtpAddress “ConfRooms@msexperttalk.com” –RoomList

Setting up Room Finder in Office 365 using Room list

  • Get a list of all room mailboxes in your organization by running the following PowerShell cmdlet

C:\> Get-Mailbox -RcipientTypeDetails RoomMailbox

Setting up Room Finder in Office 365 using Room list

  • To filter your room mailboxes based on office location, run the following PowerShell cmdlet

C:\> C:\> $HQConfRoom = Get-Mailbox -RecipientTypeDetails RoomMailbox -Filter {Office -eq ‘HQ’} | select -ExpandProperty Alias

Setting up Room Finder in Office 365 using Room list

  • Add existing Room Mailboxes to Room List Distribution Groups by running the following PowerShell cmdlet

C:\>  $HQConfRoom |

Add-DistributionGroupMember -Identity “Conference Rooms”

Setting up Room Finder in Office 365 using Room list

  • To get a list of distribution group members, run the following powershell cmdlet

C:\> Get-DistributionGroupMember -Identity “Conference Rooms” | ft Name, PrimarySMTPAddress, Office -AutoSize

Setting up Room Finder in Office 365 using Room list

Outlook will automatically detect Room List Distribution Groups and populates the Room Finder with room lists in outlook when an end user is setting up a meeting.

End user experience with Room Finding when Room Lists are Setup

Without room lists, end users are required to manually look for a list of available rooms and select a room based on availability. Room lists will empower end user and provide options to end user based on time selected. When a end user setup a meeting in outlook client, followings steps will be performed with Room lists being setup in the organization.

  • Open Outlook
  • Start a new meeting
  • Invite a few people to your new meeting
  • Pick a time
  • Click on room finding if it is not open already

Setting up Room Finder in Office 365 using Room list

  • In the drop down pick a room list that has conference rooms in it

Setting up Room Finder in Office 365 using Room list

  • Outlook will now search all the rooms in the room list for the time use has selected and present with suggested times for any rooms available. If a room is not available then it will not show up in the list
  • In Choose an Available room: pick the room you want and hit send to schedule a meeting

Please note that at the current release of Office 365, room lists are only visible with PowerShell. They do not show up in the EAC. You have to run the PowerShell commands listed above to see them and add members to them.

This should save your administrators and executive assistants time when planning and scheduling conference rooms in environments where there are abundant conference rooms and recurring meetings.

Exchange 2010 to Exchange 2016 Migration – Part 1

Exchange 2010 to Exchange 2016 Migration

Introduction

With the release of Exchange 2016, Microsoft brings latest cloud based enhancements of Office 365 to on prem version of Exchange. In this series, We will go through the steps required for Exchange 2010 to Exchange 2016 migration and move mailboxes from Exchange 2010 to 2016 to let the users to use new features of Exchange 2016.

In this series, I’m going to use my test environment where I’ve 1 Exchange 2010 Standard Server deployed with Active Directory running on Windows Server 2008 R2 with domain and forest functional level of 2008R2.

Currently Exchange Services are configured as below.

Exchange 2010 to Exchange 2016 Migration - Part 1

Below table depicts the Server Name, IPs, Active Directory Site and Server Roles installed.

Exchange 2010 to Exchange 2016 Migration - Part 1

 

 

Plan Exchange 2010 Upgrade

Before you start Exchange 2016 deployment in existing exchange 2010 organization it’s important to understand the key architectural differences between Exchange 2010 and 2016.

Exchange 2016 includes two server roles Mailbox and Edge Transport server roles. The Edge Transport server role needs to be installed on its own computer. It can’t be installed on the same computer as the Mailbox server role. The Edge Transport Server role in optional but Mailbox server role is mandatory.

You need to plan for following before exchange 2016 installation.

  • Active Directory Schema
  • Namespace for Exchange 2016
  • SSL Certificate
  • Hardware Sizing for Exchange 2016
  • High Availability of Exchange 2016
  • Mail flow
  • End user Impact
  • End user Communication
  • Exchange 2010 Health Check

Active Directory Schema

Exchange 2016 installation requires you to update Active Directory Schema to extend objects and attributes to support Exchange 2016. You need to carefully plan about Active Directory Schema update. You cannot roll back Schema Update, the only way to roll back is to manually remove the entries from schema and it’s not a recommended method.

You need to have Active Directory Schema Admin, Enterprise Admin, Domain Admin and Exchange Organization Admin rights to install Exchange 2016

In our scenario we’ve single Exchange 2010 and our schema is extended with 2010. We’ll be extending the schema to 2016 during the installation of Exchange 2016.

If you have Exchange 2010 deployed and upgrading to 2016 then make sure that you plan your schema upgrade. If you do not have Exchange 2013 installed in exchange 2010 organization or AD Schema isn’t extended for Exchange 2013 then once Schema is extended for Exchange 2016 you’ll not be able to add Exchange 2013 server in your organization.

Namespace for Exchange 2016

Plan the namespace configuration for Exchange 2016. Services that you’re going to transition from Exchange 2010 to 2016 like Autodiscover, Outlook on the Web a.k.a OWA, Exchange Web Services, legacy, office online etc. Exchange 2010 coexistence with Exchange 2016 allows you to share the namespace configuration to reduce the complexity of Exchange upgrade. It’s recommended to use the same namespace configuration for Exchange 2016 to make it easy transition across the board. We are going to use the following namespace configuration in our upgrade.

Exchange 2010 to Exchange 2016 Migration - Part 1

 

Note: You do not need legacy namespace for Exchange 2016 coexistence with 2010. I have legacy URL because sometimes during the upgrade, customers would like to use a new namespace for 2016.

I have not included the namespaces for Office Online Server as we are not going to deploy Office Online Server. Apart from Exchange Services namespace planning, we also need to plan the naming convention for Exchange 2016 installation like Exchange 2016 hostname, Database naming convention etc.

SSL Certificate

As we have planned the namespace configuration, next step is work on Exchange 2016 SSL certificate. New SSL certificate will include all the namespaces mentioned above. SSL certificates are used to protect the communication between your Exchange organization and external organizations. It’s recommended to use public SSL certificate for exchange services. For our exchange upgrade purpose, we’re going to use a SSL certificate from Digicert that will include the following entries.

  • mail.msexperttalk.com
  • autodiscover.msexperttalk.com
  • legacy.msexperttalk.com
  • msexperttalk.com

It’s recommended to use Subject Alternative Names certificate. Wild card certificate is also supported with Exchange 2016.

Hardware Sizing for Exchange 2016

Exchange Server sizing is an important factor in our deployment. Under-sizing or over-sizing of exchange environment can cause significant issues with your messaging infrastructure. It’s recommended to use Exchange Server Role Requirements Calculator. After working with exchange server role calculator, below are the recommendations of calculator for Exchange 2016 hardware.

  • 2 vCPU
  • 16GB RAM
  • 100 GB of Operating System Drive
  • 24GB Page file
  • RAID 1 for Exchange 2016 Databases
  • 2 Exchange 2016 Databases are recommended

DAG

Sizing is being done for 100 users running on Exchange 2010. We’re going to have a High Availability in Primary site only.

High Availability of Exchange 2016

To avoid single point of failure in primary site, Exchange 2016 will be configured in high availability mode by using Database Availability Groups.

Mail Flow

After the installation of Exchange 2016 server, the first step is to cutover the mail flow from Exchange 2010 to Exchange 2016. It’s important to plan your mail flow changes. In case something goes wrong the impact will be on all the users within the organization. Once we have exchange 2016 installed, we are going to use the following mail flow.

new mail flow

As you can see in the diagram, We’re going to move the mail flow from Exchange 2010 to Exchange 2016 servers once we’ve exchange 2016 installed, configured and tested.

End User Impact

It’s important to plan for end user impact beforehand. Exchange 2016 doesn’t support Outlook client 2007 or 2003. Make sure that you’ve analyzed and reviewed the end user impact before you migrate your users from Exchange 2010 to 2016. Update your endpoints to minimum supported version of outlook and IE. It’s recommended to install the latest updates of outlook client to provide best possible experience to end users when connecting with Exchange Server. Currently Exchange 2016 support following outlook clients.

  • Outlook 2016
  • Outlook 2013
  • Outlook 2010 with April 2015 Updates
  • Outlook for Mac for Office 365
  • Outlook for Mac 2011

Outlook clients earlier than Outlook 2010 are not supported. Email clients on Mac operating systems that require DAV, such as Entourage 2008 for Mac RTM and Entourage 2004, are not supported with Exchange 2016.

End User Communication

End user notifications planning help dictate a smooth and successful migration.  It is recommended that the changes end users will encounter and how to overcome them be communicated in detail and with enough advance notice that the end users have time to ask questions and understand what is expected of them.

Although mailbox migration from Exchange 2010 to 2016 will not have any impact to end user apart from a pop up message in outlook client but it’s recommended to notify the end user and provide adequate information to the user so that they can perform basic troubleshooting in case they ran into any issue after their mailbox is being migrated from Exchange 2010 to 2016.

Exchange 2010 Health Check

It’s always a good experience to perform health check of your existing Exchange 2010 server before you upgrade or deploy Exchange 2016 in your exchange organization. Exchange 2010 health check will help you determine the health of your existing system and you can fix any issues that can cause significant impact to your transition to Exchange 2016. Healthy exchange 2010 will help a lot in a smooth transition to Exchange 2016. Exchange 2010 health check will be performed before the installation of Exchange 2016.

Conclusion

In part one of this series we worked on planning of Exchange 2016 upgrade and reviewed some of the important key factors to consider before upgrading to Exchange 2016. In the next part of this series, we will start the exchange 2016 installation and configuration by first completing the action items of planning phase.

If you would like to read the other parts of this blog article series please go to:

1 2