DKIM records Office 365
-
Also the MX records need to be updated since you don't need to prove ownership anymore:
-
@dbeato said in DKIM records Office 365:
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@jaredbusch said in DKIM records Office 365:
@bigbear said in DKIM records Office 365:
@joel said in DKIM records Office 365:
I was asked to setup DKIM records for Office 365.
Unless, are they asking you to configure DKIM so that another service you are using can send email on behalf of your domain?
Most likely he was asked because someone hear dabout some shiny new thing and said do it.
DKIM and SPF help so little IMO.
Exactly - email vendors don't want to be accused of not delivering mail.. so they can't really live and die by DKIM and SPF.
My guess is that it is mostly used by SMBs where people tend to get overly concerned about security, mistake how email works and think that things like this are some sort of requirement, and start blocking anyone not doing it.
So what's the big boys solution to spam then?
Useful things
Like actually scanning the email to look for patterns. DKIM and SPF aren't bad, but they're unofficial and don't address the actual problem but attempt to address an artefact of the problem. And they do literally nothing against the worst spammers, like Source Media, who use all addresses covered by things like this.But so far even ML has an SPF, so it wouldn't be that bad eh?
It doesn't hurt to have it. But it's not very important.
-
@scottalanmiller said in DKIM records Office 365:
@dbeato said in DKIM records Office 365:
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@jaredbusch said in DKIM records Office 365:
@bigbear said in DKIM records Office 365:
@joel said in DKIM records Office 365:
I was asked to setup DKIM records for Office 365.
Unless, are they asking you to configure DKIM so that another service you are using can send email on behalf of your domain?
Most likely he was asked because someone hear dabout some shiny new thing and said do it.
DKIM and SPF help so little IMO.
Exactly - email vendors don't want to be accused of not delivering mail.. so they can't really live and die by DKIM and SPF.
My guess is that it is mostly used by SMBs where people tend to get overly concerned about security, mistake how email works and think that things like this are some sort of requirement, and start blocking anyone not doing it.
So what's the big boys solution to spam then?
Useful things
Like actually scanning the email to look for patterns. DKIM and SPF aren't bad, but they're unofficial and don't address the actual problem but attempt to address an artefact of the problem. And they do literally nothing against the worst spammers, like Source Media, who use all addresses covered by things like this.But so far even ML has an SPF, so it wouldn't be that bad eh?
It doesn't hurt to have it. But it's not very important.
I would say that SenderID is dead, hence SPF has little affect on the initial delivery of your email and is only used when someone is replying to your message.
DMARC and DKIM are more relevant to setup with your primary provider and has benefits.
But I think Scott is saying SPF and even DKIM do little to actually stop spam, and SenderID is a dead project so SPF does nothing at all. And I agree.
-
Loving the discussion. Yes you're correct we were asked by a SMB to enable it because they suffered some spoofing emails recently. ie someone internally (and externally) received an email appearing to be from someone inside the office and was in reference to obtaining card details etc.
So in a nutshell, whats actually the different between DKIM and SPF? Office 365 give you the DNS records to apply when you set it up and give you the SPF by default. If DKIM was better/more important you'd expect them to add that in also when you setup the tenant?
I have a meeting with the client today so will discuss it more with them. Apparently the CEO's friend works for Google security and said they should enable the DKIM records hence why they asked us to do so.
thanks
-
I am willing to bet the email that was spoofed used OAUTH or some other attack method. You should really dig past this for more details and get the original messages, would love to see the headers from the spoofed messages.
Its great that "bobs nephew is google security" but insist that they let you do your job.
Quick reference:
DMARC: Tells remote servers if your domain is using SPF and/or DKIM
SenderID: Was like caller ID for SPF, but caused a lot of grief.
SPF: Almost irrelevant since the failure of
SPFSenderIDDKIM: Uses a public/private key setup similar to PGP that uses domain keys for key exchange and sends an encrypted signature that can be decrypted and validated from a public key.
None of these are going to do much to block the types of attacks you would see these days.
-
What do you mean failure of SPF? The only failure in SPF i see is from people using Office 365, where anybody in the world using Office 365 can pass spf checks for anybody else using Office 365. For people not using Office 365 SPF is great. I turned on SPF when i started here, instantly stopped all the fake company emails to customers and internal users.
-
@momurda said in DKIM records Office 365:
What do you mean failure of SPF? The only failure in SPF i see is from people using Office 365, where anybody in the world using Office 365 can pass spf checks for anybody else using Office 365. For people not using Office 365 SPF is great. I turned on SPF when i started here, instantly stopped all the fake company emails to customers and internal users.
Should say because of the failure of SenderID.
And because SenderID is dead SPF is crippled to do what you claim. Also what spoof emails were you getting en mass, from what domains.
And Office 365 is not crippled by this, thisveoupd be a failure to configure policy and use of dmarc. The same is true of any mass email provider like g suite.
Sorry for brevity - on mobile
-
@momurda said in DKIM records Office 365:
What do you mean failure of SPF?
Failed to take off, perhaps.
-
@scottalanmiller said in DKIM records Office 365:
@momurda said in DKIM records Office 365:
What do you mean failure of SPF?
Failed to take off, perhaps.
See original post I corrected it, failure of SenderID made SPF a lot less meaningful, and no one has attempted a replacement.
So the reply address is only validated when the recipient replies....
-
@bigbear said in DKIM records Office 365:
DMARC: Tells remote servers if your domain is using SPF and/or DKIM
DMARC tells remote servers what to do with inbound mail that fails a SPF or DKIM check.
It does not tell remote servers if you are using it.
DMARC cannot be implemented without SPF and/or DKIM already in place.
So this means, in order for DMARC to do jack shit, all of these conditions have to be true.
- you have to have SPF/DKIM setup.
- you have to have DMARC setup.
- the recipient has to have SPF/DKIM checking setup
- the recipient has to honor your SPF/DKIM
- the recipient has to have DMARC checking setup
- the recipient has to honor your DMARC instruction
-
I am setting up DMARC right now. I just moved to Office 365 and I was using the none setting, to just report on what legitimate services might be sending out. Freshdesk was the only one that I found and after spending 2 weeks with their support fixing their DKIM record configurations, I enabled quarantine on DMARC. Coincidentally, this is pretty much the exact time when Freshdesk had at least one of their IP addresses get blacklisted for sending mail.
All of our notification messages were getting quarantined by office 365 and I thought it was an issue with DMARC. Nope. What a PITA. I switched the DMARC to none again and that didn't work and finally found out from Freshdesk that they had been blacklisted.
I ended up having to create a mail flow rule to bypass spam filtering if the sender was a certain email address and the return path was several domains with freshdesk in them. That only solved our problem of quarantined notifications. Our customers are still affected. Freshdesk said that they had resolved it by getting the IP removed, but whenever I disable the mailflow rule, they start getting quarantined again.
#badtiming
