We help IT Professionals succeed at work.

Where to set up SPF and DMARC on your own emails in Exchange 365 ?

Eds
Eds used Ask the Experts™
on
set up SPF and DMARC for your email domain it will mark spoofed email as spam and flag for your users that the email is not legitimate.

Where to set up SPF and DMARC on your own emails in Exchange 365 ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You have a few setup items...

1) DNS SPF record.

2) DNS DKIM record.

3) DKIM signing infrastructure, where you route every message through some DKIM local daemon which returns the correct headers to inject into messages leaving your MTA.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
https://www.experts-exchange.com/questions/29166735/USE-DKIM-keys-on-EDGE-Servers.html provides a good overview of DKIM signing related resources.
Eds

Author

Commented:
Can I just ask my exchange 365 provider who also host my www to double check these for me?
They are usually very helpful
Jackie Man IT Manager
Top Expert 2010

Commented:
Jackie Man IT Manager
Top Expert 2010

Commented:
Can I just ask my exchange 365 provider who also host my www to double check these for me?

Not just check with them.

You need to work with the tech who maintain the nameserver of the DNS record of your domain to create DKIM signature and DMARC records.

SPF record should be created at the time you migrate to Exchange 365.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Can I just ask my exchange 365 provider who also host my www to double check these for me?

Exchange != HTTPS

So asking any question about www (HTTPS) has no meaning in an Exchange (SMTP/IMAP/POP) context.

Email != Web

There's no correlation of SPF/DKIM to any HTTPS level changes.
CEO Faru Bonon IT /Top Rated Freelancer on Upwork / Photographer
Awarded 2018
Distinguished Expert 2018
Commented:
Hello Eds,
Thank you for your question, let me try to light you up about this one.

Actually There are 3 authentication methods for "Email".
 SPF = This is a TXT record configured on your public DNS (the public DNS is usually where you brought the domain, like goddady or network solution, etc).
DKIM = If you are outside Office 365, this is an asymmetric key pair  (Public Key, Private key) that are usually managed by your own exchange server (using this for example https://github.com/Pro/dkim-exchange)

if you are on O365, I have a script that could help you by giving you the DNS records that you need (in this case are 2 CNAMES) also on the Public DNS. Here's the script: https://gallery.technet.microsoft.com/office/Enable-DKIM-security-on-a151f7c6

And DMARC record is not more than a validator of the 2 previous records (SPF and DKIM), for this records I use this:
https://mxtoolbox.com/DMARCRecordGenerator.aspx

This is a TXT record called _DMARC that will bring the policy you want to have for your domain.


Where to set up SPF and DMARC on your own emails in Exchange 365 ?
You can't do this for your own email, you need to do this for your DOMAIN.
and you can use my script it will set it up and enabled it for you.
You do this domain-wide not user-wide.
mbkitmgrOwener

Commented:
The two records SPF and DMARC are Text Records added to your DNS.  

Example if your domain name was registered with Go-Daddy, you would:
  1. Create the two text records via the tools below,
  2. Contact Go-Daddy Support,
  3. Ask them to add these to the DNS for your domain name on their system.

To decide how to compose your records:
MXToolbox SPF creator tool = https://mxtoolbox.com/SPFRecordGenerator.aspx

DMARC records Generator = https://dmarcguide.globalcyberalliance.org/#/

These will walk you through creating the records.  Once you have both you could contact your Domain Name Registrant and ask them to add them.

Things to keep in mind
  • Start with lower level settings until you have time to understand what each record does.
  • You can come back and increase the settings later if needed.