Prevent people sending email as you on Office 365

Posted on by Ralph Smorra Posted in News

email security icon

How to set up SPF, DKIM, and DMARC on Office 365

Is that email really from your CEO? Do your customers have a way to tell if that email really came from you?

Email servers normally accept email from anyone regardless of who they claim to be. Anyone can send email that appears to be From [email protected]. The security features shown below let your recipients know if email is genuinely from you.

Create a list of your official email servers

The first step is to set up a list of which servers are authorized to send email on your behalf (from yourcompanydomain.com.)  This list is called a Sender Policy Framework (SPF) record and is stored in your company’s Domain Name System (DNS) records as a TXT record:

  1. Check your SPF record—it may already be set up, at least partly.
    1. If you do have an SPF record, confirm it includes all servers you send email from, as shown in step 4 below.
      1. If your list of email servers not complete, and you enforce it (using ‘-all’ or DMARC), some of your legitimate emails could go into Spam/Junk, or get rejected.
  2. Go to your DNS records.
    1. If you don’t recall which company your domain name was registered with, you can look up that up here.
    2. Once you know who your domain registrar is, here are specific instructions creating DNS records on popular domain registrars.
  3. Create a New DNS Record of type TXT
    1. If there is a ‘Host’ or ‘subdomain’ box, type  @  in it.
  4. In the Value or Text box, enter: v=spf1 include:spf.protection.outlook.com -all
    1. Having two or more SPF records for the same domain doesn’t work. You must include all servers allowed to send email on your behalf, in your one SPF record.
    2. If you also use MailChimp, Salesforce, or any other external company to send email from yourcompaydomain.com, you need to add their servers to your SPF record, just before ‘-all’.
      1. For MailChimp: include:servers.mcsv.net
      2. For SalesForce: include:_spf.salesforce.com
      3. If you use any other email sending services, look up the SPF ‘include:…’ statement for them, and add that to your SPF record, or else their email will be seen as fake.
    3. You can have a maximum of ten server names in your SPF record.
      1. If you use more than two email services, eg Office 365, and mailchimp, and salesforce, you would exceed this 10 server limit, since when their servers are looked up, they respond with at least four servers.
        1. If you do use multiple email services with more than 10 email server names, you will need to create a subdomain and separate SPF, DKIM, and DMARC records for them, eg marketing.yourcompany.com, sales.yourcompany.com, etc.
      1. If you have scanners, phone systems, etc at your office that can only send email directly and can’t send via O365, you can add your office’s IP address, at the end of the line, just be for the ‘-all’, for example: ip4:123.123.123.123 -all
        1. Where you would replace 123.123.123.123, with your office’s external IP address.
        2. If you have multiple offices, each with devices that send email directly, you would add each of their IP addresses this way, one after the other.
        3. Email servers and sending-devices that you add by IP address like this, don’t count against SPF’s 10-named-email-servers-per-domain limit.

Digitally Sign your email

Having a list of official servers is a good first step but is not foolproof. Someone else using Office 365 email might still be able to pretend to be you because they are using the same mail servers that you are. You can sign your email electronically, so recipients can check if email claiming to be from you, has your company’s signature. This signature is part of the Domain-Keys Internet Mail (DKIM) standard.

Generate the key used to sign mail:

DKIM keys are created by default for email sent from your companydomain.onmicrosoft.com address, but not your companydomain.com, and must be created in the Office Admin portal, then added to your DNS records:

  1. Sign in to Office 365 with your work account.
  2. Select the app launcher icon in the upper-left and choose Admin.
  3. In the lower-left navigation, expand Admin and choose Exchange.
  4. Go to Protection > DKIM.
  5. Select the domain for which you want to enable DKIM and then, for Sign messages for this domain with DKIM signatures, choose Enable. Repeat this step for each custom domain.

Add more security and control, see which email is blocked

Once you’ve set up SPF and DKIM records – consider configuring Domain-based Message Authentication, Reporting, and Conformance (DMARC).  This will let you control how messages flagged as fake are handled.  You will also be able to see reports when fakes are detected. 

Without DMARC, someone at your company could change their visible email From address to yours, and it would pass SPF and DKIM checks, because it would be from your server and signed with your domain’s key. DMARC also lets you tell people what to do with email that fails those checks—Quarantine it in spam/junk, Reject it completely, or do nothing and accept all email, which wouldn’t be useful.
DMARC settings are also stored in a TXT record:

  1. Open a new browser tab, and Go to your DNS records.
  2. Create a New DNS Record of type TXT
    • If there is a ‘Host’ or ‘domain’ box, enter:
      • _dmarc.yourdomainname.com
        • where you replace yourdomainname.com, with your real domain name, eg. in our case: _dmarc.consultumbrella.com
  3. In the Value or text box, enter:
      • v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com
        • where:
          • pct=5 means to quarantine or reject messages, 5% of the time when they fail the DMARC check.
            • This is a good starting % to block or quarantine when first trying out DMARC, to find out if you may have legitimate email being sent from servers you may not yet have listed in SPF, or which aren’t getting signed by DKIM.
            • Once you confirm no valid messages are being rejected or quarantined, you can edit this TXT record to increase the percentage of failing emails that are rejected/quarantined, up to pct=100 or pct=all.
          • postmaster@your_domain.com must be changed to a real email address of someone at your company who will be sent a report about email that fails the DMARC check, or else you won’t know if any legitimate email is getting rejected or quarantined as spam.