Awkward spams and the way ahead for Office 365
Preventing spoofing has been a challenge for most email admins with large organizations, considering how quickly it can get out of control. From a silly email that the CEO receives to masses of blatant attacks on companies you email often, nothing creates panic like spoofing does.
Like me, you’d probably dismiss this quickly since all it needs is a look at the headers to tell you where the email came from. What then? You block the offending sender and go about your business.
The trouble comes when the spoofed emails actually end up at a client’s rather than your own email system that you can control. So you chase after their IT teams and get the spammer blocked. For now. But how do you prevent this from happening again? How do you move on from slapping a band aid every time the users come complaining?
Why SPF record is not working
Sender Policy Framework is very specific and, let’s face it, Microsoft has not given you much of a choice if your filtering and email systems are run by them.
SPF needs you to rely on DNS — a not very secure system by itself. And it needs each party to use Sender Filtering, which you cannot guarantee.
SPF validates an email by letting the receiving party verify its source IP address and if it doesn’t match, the Sender Filtering on their gateway servers then decides if the email is accepted or rejected.
So you set up the SPF record, and pray the other party is using Sender Filtering. Even if they do, unless your record specifies the type of action to take, none of it proves useful.
What DKIM and DMARC can do
Microsoft has been rolling out DKIM and DMARC usage, which — if you are to believe the statistics here — is proving to be quite useful.
Domain Keys Identified Mail allows the hosting system to claim some responsibility and take over security for outbound email — something that Office 365’s Exchange Online Protection has been lacking in. Emails are stamped with an encrypted signature that the receiving systems can then decrypt by querying the sending domain’s DNS.
The encryption is cleverly inserted only in the headers, and thus fares better than previous methods of encryption. S/MIME, for example, comes in a format most systems don’t understand, allowing for easier corruption and loss of data.
DMARC works similar to SPF by using the domain name, but it uses the ‘From’ address, instead of ‘Mail From’ — where SPF largely fails.
It also let’s the sender declare how an email can be processed if either SPF or DKIM check fails for a receiving server. It sounds highly similar to how SPF lets the recipient decide based on a Hard or Soft fail. But, an additional layer of filtering harmed no one, right?
Specifically, DMARC targets improving domain reputation, something that the evolution of Content Filtering in Exchange has been focusing on but hasn’t had a way to properly implement. Until now.
In a recent post, Office 365 confirms DKIM is being rolled out for outbound emails as well.
With Microsoft finally deciding to include DKIM and DMARC, DKIM specifically being rolled out for Office 365 right now, EOP finally seems to be catching up to its competitors.