The Trinity of Email Protection: Lessons Learned using DMARC, DKIM and SPF in Office 365

I am a big fan of DMARC and its ability to easily determine which messages sent as, and from, your SMTP domains are using authenticated and authorized servers. The A in DMARC actually stands for “authentication”, but it’s really a little of both.

Regardless, it’s something I highly recommend and if you are using Office365/EOP, there is really no reason you should not be using it, after all it’s already enabled. In fact, if you choose not to set up any of the email protection trinity, EOP will absolutely mark any message sent from the internet as your domain to your domain as SPAM.

Since you are reading this, I assume you are using it or wanting to use it. To that end, here are some tips and lessons learned from my own experiences:

  1. Start small.  Your first DMARC record in DNS ( _dmarc.contoso.com) should do nothing but report. At its very minimum, it should look like this: “v=DMARC1; p=none;rua=mailto:DMARC@contoso.com;”  All this does is tell recipient servers that they should send DMARC failure reports to DMARC@contoso.com ( This could be a mail-enabled Public Folder).  The p=none does not affect the way messages are delivered. With p=none, you are not suggesting to a recipients mail server that they change the way they handle the messages that fail DMARC checks.  I would recommend you always use p=none, unless you have no 3rd party vendors that send mail as your SMTP domain. In that case, p=quarantine is probably worthwhile once you have vetted out your DMARC policy sufficiently. I would never use p=reject  – unlike a few ISPs out there.
  2. Get your SPF records in order. If you have 3rd party vendors that send as you, this is especially important. It doesn’t take much to exceed the 10 Lookup Max on SPF records. Heck, if you are using EOP, spf.protection.outlook.com requires three lookups alone! Exceeding that amount can cause failures because recipient domains may ignore your SPF completely.
  3. Don’t forget DKIM! SPF seems to get all the attention, but setting up DKIM could not be easier in Office 365. You can even configure it in the portal now under the Protection menu in EAC. And once setup, there is nothing cooler than seeing that DKIM-Signature in the headers.
  4. There are options if you simply can not get those SPF lookups below 10. The SPF RFC supports macros. Mind. Blown. No really. Imagine a SPF record of “contoso.com IN TXT “v=spf1 include:%{i}._ip.{%h}._ehlo.{%d}._spf.contoso.com –all”.  Ok, I am not aware of anyone that does this, but it’s a possibility. Another option is not use SPF records and depend on the DKIM record. This is great if you have no or cooperative 3rd party vendors that send as your domain. DKIM is not limited to that pesky 10 max record lookup and as mentioned above, DMARC messages need to pass either the DKIM or SPF and, not both. If you support multiple SMTP domains, you may want to also consider setting up distinct SPF records for each zone rather then using the include option to keep each domain under that 10 limit.
  5. Don’t forget the alignment requirement! As mentioned above, DMARC will check the sender’s valid SPF or DKIM records in DNS. If one or both of those exist and pass, then alignment must pass as well. This is the magic sauce in DMARC. Alignment simply means the header FROM: matches the Domain “from” (i.e. the MAIL FROM: /Return-PATH) of the message. This is an important consideration because even if the message passes the SPF or DKIM check, it can still fail DMARC if for some reason you have processes that set the FROM: in the header to a completely different domain from the RETURN-PATH or MAIL FROM:. I have seen it happen!
  6. Leverage DMARC inbound. The value-add for DMARC is pretty obvious for messages sent out from your org. But the really cool part is using it inbound to stop those endless spoofing attempts without the need for clunky transport rules. You can create nifty rules to check for failures as illustrated in a previous blog post. This is another reason you want those SPF records to be below 10 lookups. If they exceed allowed amount, you may find that your inbound rules do not correctly detect the dmarc=fail or dmarc=pass.
  7. Whitelisting is your friend. If you are going to create inbound DMARC rules, it is very important to remember that SPF lists mail servers that are authorized to send messages on behalf of your SMTP domain. That’s not necessarily the same list of IPs that will sending as your domain directly to internal users. If you are using WorkDay, SalesForce or any of the multitude of SAAS cloud vendors, you can be pretty darn sure they are sending spoofed messages to your domain, but not to external recipients as you,  so they wont be listed in your SPF. Any whitelisting rules MUST be above the DMARC rule. Seems obvious, but don’t overlook it!
  8. Add a check for dmarc=temperror in your inbound transport rule. If the domain in the Mail FROM: doesn’t exist, you may see a spf=temperror or dmarc=temperror in the Authentication-Results header of the message. If your rule isn’t testing on that, it could slip past your defenses. I have actually seen a number of these from images spun up in 3rd party hosted solutions. I prefer to tag these as FAILs, but that is up to you if you want to let them pass.
  9. Set the inbound rule to only notify you initially. As with DMARC in general, start small. Don’t block anything until you feel confident that only the truly unwanted spoofed messages are trapped. Your initial rule should simply check for a DMARC failure, and send an incident report to a mailbox that you monitor. An example rule is found here. And that leads me to the next tip once you ready to take action on DMARC failures.
  10. Quarantine the message, do not simply set it to a high SCL. You really have two options  ( I would not delete the message) on how to deal with illegitimate spoofed mail, you can force it the quarantine, or set it at a SCL high enough to mark it as SPAM. I recommend forcing it the quarantine so that end-user safe sender lists can not trump your rule.  If you have a user that has added a GAL object to their contacts ( A very common scenario), and has also checked “Also trust e-mail from my contacts” in Safe Senders, the spoofing rule will be defeated.
  11. Add a custom x-header to your rule. This helps you, the help desk and the end-user easily identify why this message was quarantined.

So there are some tips. This is by no means a comprehensive list. I plan to add more or revise these as time permits. If you want to read more, including how to setup DKIM in Office 365,  I would suggest following the blogs of Terry Zink  and Andrew Stobart.

 

 

You are unable to choose the OU in EAC when creating a new Mailbox or Groups…

If you have more than 500 Organization Units in your AD forest, you may..no…you will, run into this issue in the Exchange 2013 EAC when creating a new mailbox or group and want to create the object in a different OU other than the default “Users” container.

Upon accessing the OU Dialog box:

OUBrowse

 

You will see this lovely message:

OU

Unfortunately, this is a known issue. There is no fix yet.

I would recommend you simply create the mailboxes and groups in Powershell if you want to specify the OU.

The work-around for EAC:

  •  Edit the web.config file on the MAILBOX server under

     \\Program Files \ Microsoft \ Exchange Server \ V15 \ ClientAccess \ ecp \

    add the following under the appsettings section of the file.

    <add key=”GetListDefaultResultSize” value=”<number more than OUs in your forest” />

Recycle ECP app pool.

Note that you will need to do this after each Cumulative Update.

 

P.S. If you do not know how many OUs your forest has:

Get-OrganizationalUnit -ResultSize unlimited | Measure-Object

How to create an Outlook Profile for a Hidden Mailbox

Suppose you wanted to create an Outlook profile for a hidden mailbox and, for whatever reason, you do not want to unhide it from the Address Book just long enough to create it. All hope is not lost! ( Unless you are using Outlook 2016). You can do it using the LegacyExchangeDN.

1. Use adsiedit or your favorite LDP viewer/query tool and copy the LegacyExchangeDN of the hidden mailbox. ( I still prefer adfind to this day).

The LegacyExchangeDN value is a property of the user’s object in AD and will be in the form of:  /o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserA

2. Create the Outlook profile. It will fail and you will be at the dialog box that shows server name and the users’ mailbox.

Capture

3. Remove the “=SMTP: User@contoso.com”  value of the  “Mailbox:” and paste the LegacyExchangeDN value you copied from Step1.

Capture5a

4. Hit Check Name and it should resolve and allow you to create the profile and access the mailbox.

Capture3a

This is with Exchange/Outlook 2013. This does not work with Outlook 2016 from what I have seen:

Capture4a

 

 

On-Premises Mailbox Missing Retention Policy Tags after enabling Archive in Office 365

Consider the following scenario:

You have an on-prem mailbox, but decide to move your online archives to Office 365 to take advantage of the “Unlimited” storage. No problem. That works great for existing mailboxes, but when creating new archives in the cloud, you discover that the policy retention tags are not surfaced to the end-user in Outlook and the ability to archive to a pst remains.

AutoArc1

You have a few options:

Run: Start-ManagedFolderAssistant <user>

If that doesn’t work, move the online back on-premises and run Start-ManagedFolderAssistant.  Alternatively, if the archive is unused, disable it, re-enable on-prem  ( and run Start-ManagedFolderAssistant to speed things up). Once the policy tags appear, move it back to Office 365.

P.S. Ensure you have imported all the on-premises tags to Office 365 per the link below. Otherwise the automatic archiving will not work!

https://technet.microsoft.com/en-us/library/jj907307(v=exchg.150).aspx