Deploying mail security in Microsoft Office 365

This article aims to improve mail security when using Microsoft Office 365 as a mail provider, in a short time and without additional cost. It also gives practical insight on how to check if mail security risks are present or not.

In order to do that, the following mail security mechanisms needs to be understood SPF, DKIM, DMARC: Email Authentication Explained:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting & Conformance (DMARC)

Note that missing implementation of one of the above drastically reduce the mail security while having all three drastically increase it.

We demonstrated it in a previous blogpost series:

With an efficient trio of SPF, DKIM and DMARC, you can reduce mail spoofing and thus phishing. These mechanisms are often overlooked but helps preventing attackers to gain initial foothold into a company's perimeter via a rogue email.

SPF

Described in Set up SPF to help prevent spoofing - Office 365 | Microsoft Learn.

On your domain provider interface, add or edit the DNS TXT record for the SPF to add spf.protection.outlook.com as an authorized sender:

IN TXT "v=spf1 include:spf.protection.outlook.com -all"

Below is another example if you have more than Microsoft as a mail provider:

IN TXT "v=spf1 mx include:<another_spf> include:spf.protection.outlook.com -all"

Check that this is effective:

dig +short txt domain.com | grep spf                                                                                                                                          
"v=spf1 include:spf.protection.outlook.com -all"

Note that -all is the recommended setting for remaining checks, loose SPF such as ~all should be avoided. Note also that include values should not be added without a good understanding of which IP ranges it authorizes. We previously conducted mass attacks impersonating IP addresses of third-parties authorized via this mechanism (see All Your SPF Includes Are Belong To Us — Improsec | improving security).

Send a mail to another address from one of your Office 365 address and check that SPF passes in the received MIME headers:

Received-SPF: Pass (protection.outlook.com: domain of domain.com designates
 1.2.3.4 as permitted sender) receiver=protection.outlook.com;
 client-ip=1.2.3.4; helo=FRA01-PR2-obe.outbound.protection.outlook.com;
 pr=C

In the above example both the sender and the receiver are on Microsoft office 365 and the sender's IP for domain.com is authorized to send emails.

DKIM

Described in https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide.

While logged in in your Office 365 tenant, go to https://security.microsoft.com/dkimv2.

Configure DKIM by clicking domain.com and "Create DKIM keys".

This will generate cryptographic keys needed for DKIM and present you with two DNS CNAME records pointing to the public keys. Add these records in your domain provider interface:

selector1._domainkey IN CNAME selector1-domain-com._domainkey.domain.onmicrosoft.com.
selector2._domainkey IN CNAME selector2-domain-com._domainkey.domain.onmicrosoft.com.

Note that the selectors are predictable so keys can be easily retreived on domains using Office 365.

Check:

dig +short txt selector1._domainkey.domain.com
selector1-domain-com._domainkey.domain.onmicrosoft.com.
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhki[...]wTqEC+kzW" "zLWyr61X[...]w2Nn5cyKUga0WvoUOlGN9uMQIDAQAB;"

Go back on the Microsoft Security administration and enable "Sign messages for this domain with DKIM signatures"

Send a mail to another address from one of your Office 365 address and check that both mail is signed and DKIM passes in the received headers:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=pKN2xqOTWcXjLrF87kcdyQpeMd9Io3biawwGtkvDT5k=;
 b=k0qzKAVJq0FW6e[...]9bmq+zAqw==
[...]
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
 1.2.3.4) smtp.rcpttodomain=improsec.com smtp.mailfrom=domain.com;
 [...]
 dkim=pass (signature was verified) header.d=domain.com; arc=pass (0 oda=1
 ltdi=1 spf=[1,1,smtp.mailfrom=domain.com] dkim=[1,1,header.d=domain.com] [...]

DMARC

Described in Use DMARC to validate email, setup steps - Office 365 | Microsoft Learn.

On your domain provider interface, add or edit the DNS TXT record for DMARC (_dmarc.domain.com) if you do not already have one:

_dmarc IN TXT "v=DMARC1; p=reject; sp=reject"

RUA and RUF can be specified and used for detection of attacks and mail security monitoring:

_dmarc IN TXT "v=DMARC1; p=reject;  sp=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; ri=84600"

The policy above is voluntarily restrictive, hence it should be deployed with caution as all mails not complying with SPF or DKIM from now on will be rejected by receivers honoring DMARC. Note though that without rejected or quarantine as a value, a DMARC policy is not a security barrier.

Check with:

dig +short txt _dmarc.domain.com
"v=DMARC1; p=reject; sp=reject"

When sending an email from the Office 365 tenant, you should now see in the headers received that both SPF, DKIM and DMARC passes:

ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
 1.2.3.4) smtp.rcpttodomain=improsec.com smtp.mailfrom=domain.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=domain.com;
 dkim=pass (signature was verified) header.d=domain.com; arc=pass (0 oda=1
 ltdi=1 spf=[1,1,smtp.mailfrom=domain.com] dkim=[1,1,header.d=domain.com]
 dmarc=[1,1,header.from=domain.com])

Conclusion

Improving mail security in Microsoft Office 365 can be done easily and greatly reduces phishing risks. We recommend setting it up and monitoring changes to DNS records and DKIM keys.

References