DKIM records Office 365
-
I am willing to bet the email that was spoofed used OAUTH or some other attack method. You should really dig past this for more details and get the original messages, would love to see the headers from the spoofed messages.
Its great that "bobs nephew is google security" but insist that they let you do your job.
Quick reference:
DMARC: Tells remote servers if your domain is using SPF and/or DKIM
SenderID: Was like caller ID for SPF, but caused a lot of grief.
SPF: Almost irrelevant since the failure of
SPFSenderIDDKIM: Uses a public/private key setup similar to PGP that uses domain keys for key exchange and sends an encrypted signature that can be decrypted and validated from a public key.
None of these are going to do much to block the types of attacks you would see these days.
-
What do you mean failure of SPF? The only failure in SPF i see is from people using Office 365, where anybody in the world using Office 365 can pass spf checks for anybody else using Office 365. For people not using Office 365 SPF is great. I turned on SPF when i started here, instantly stopped all the fake company emails to customers and internal users.
-
@momurda said in DKIM records Office 365:
What do you mean failure of SPF? The only failure in SPF i see is from people using Office 365, where anybody in the world using Office 365 can pass spf checks for anybody else using Office 365. For people not using Office 365 SPF is great. I turned on SPF when i started here, instantly stopped all the fake company emails to customers and internal users.
Should say because of the failure of SenderID.
And because SenderID is dead SPF is crippled to do what you claim. Also what spoof emails were you getting en mass, from what domains.
And Office 365 is not crippled by this, thisveoupd be a failure to configure policy and use of dmarc. The same is true of any mass email provider like g suite.
Sorry for brevity - on mobile
-
@momurda said in DKIM records Office 365:
What do you mean failure of SPF?
Failed to take off, perhaps.
-
@scottalanmiller said in DKIM records Office 365:
@momurda said in DKIM records Office 365:
What do you mean failure of SPF?
Failed to take off, perhaps.
See original post I corrected it, failure of SenderID made SPF a lot less meaningful, and no one has attempted a replacement.
So the reply address is only validated when the recipient replies....
-
@bigbear said in DKIM records Office 365:
DMARC: Tells remote servers if your domain is using SPF and/or DKIM
DMARC tells remote servers what to do with inbound mail that fails a SPF or DKIM check.
It does not tell remote servers if you are using it.
DMARC cannot be implemented without SPF and/or DKIM already in place.
So this means, in order for DMARC to do jack shit, all of these conditions have to be true.
- you have to have SPF/DKIM setup.
- you have to have DMARC setup.
- the recipient has to have SPF/DKIM checking setup
- the recipient has to honor your SPF/DKIM
- the recipient has to have DMARC checking setup
- the recipient has to honor your DMARC instruction
-
I am setting up DMARC right now. I just moved to Office 365 and I was using the none setting, to just report on what legitimate services might be sending out. Freshdesk was the only one that I found and after spending 2 weeks with their support fixing their DKIM record configurations, I enabled quarantine on DMARC. Coincidentally, this is pretty much the exact time when Freshdesk had at least one of their IP addresses get blacklisted for sending mail.
All of our notification messages were getting quarantined by office 365 and I thought it was an issue with DMARC. Nope. What a PITA. I switched the DMARC to none again and that didn't work and finally found out from Freshdesk that they had been blacklisted.
I ended up having to create a mail flow rule to bypass spam filtering if the sender was a certain email address and the return path was several domains with freshdesk in them. That only solved our problem of quarantined notifications. Our customers are still affected. Freshdesk said that they had resolved it by getting the IP removed, but whenever I disable the mailflow rule, they start getting quarantined again.
#badtiming
