DKIM records Office 365
-
@joel said in DKIM records Office 365:
Hi Guys
I was asked to setup DKIM records for Office 365.
I dont know exactly what this is but understand it helps stop spoofing. Can someone advise what records / where i find the necessary records to set this up?
Thanks in advanceDKIM only helps if the recipient server is using it. So whoever told you what it does is not exactly correct.
-
Microsoft’s instructions
https://technet.microsoft.com/en-us/library/mt695945(v=exchg.150).aspx -
You only need to do this if you want to set your own key.. If you do nothing, MS automatically creates a private and public key pair and enables DKIM signing.
-
set our own key?
-
@joel said in DKIM records Office 365:
set our own key?
If you don't want MS to know your private key, you can do this all manually and configure it yourself. When you use DKIM and send a message your private key will be used to generate an encrypted signature. The receiving mail server (if it supports DKIM) will use your public key to decrypt the signature.
If you do nothing MS generates these keys automatically for you and enables DKIM.
-
@joel said in DKIM records Office 365:
I was asked to setup DKIM records for Office 365.
Unless, are they asking you to configure DKIM so that another service you are using can send email on behalf of your domain?
-
@bigbear said in DKIM records Office 365:
@joel said in DKIM records Office 365:
I was asked to setup DKIM records for Office 365.
Unless, are they asking you to configure DKIM so that another service you are using can send email on behalf of your domain?
Most likely he was asked because someone hear dabout some shiny new thing and said do it.
DKIM and SPF help so little IMO.
-
@jaredbusch said in DKIM records Office 365:
@bigbear said in DKIM records Office 365:
@joel said in DKIM records Office 365:
I was asked to setup DKIM records for Office 365.
Unless, are they asking you to configure DKIM so that another service you are using can send email on behalf of your domain?
Most likely he was asked because someone hear dabout some shiny new thing and said do it.
DKIM and SPF help so little IMO.
Exactly - email vendors don't want to be accused of not delivering mail.. so they can't really live and die by DKIM and SPF.
-
@dashrender said in DKIM records Office 365:
@jaredbusch said in DKIM records Office 365:
@bigbear said in DKIM records Office 365:
@joel said in DKIM records Office 365:
I was asked to setup DKIM records for Office 365.
Unless, are they asking you to configure DKIM so that another service you are using can send email on behalf of your domain?
Most likely he was asked because someone hear dabout some shiny new thing and said do it.
DKIM and SPF help so little IMO.
Exactly - email vendors don't want to be accused of not delivering mail.. so they can't really live and die by DKIM and SPF.
My guess is that it is mostly used by SMBs where people tend to get overly concerned about security, mistake how email works and think that things like this are some sort of requirement, and start blocking anyone not doing it.
-
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@jaredbusch said in DKIM records Office 365:
@bigbear said in DKIM records Office 365:
@joel said in DKIM records Office 365:
I was asked to setup DKIM records for Office 365.
Unless, are they asking you to configure DKIM so that another service you are using can send email on behalf of your domain?
Most likely he was asked because someone hear dabout some shiny new thing and said do it.
DKIM and SPF help so little IMO.
Exactly - email vendors don't want to be accused of not delivering mail.. so they can't really live and die by DKIM and SPF.
My guess is that it is mostly used by SMBs where people tend to get overly concerned about security, mistake how email works and think that things like this are some sort of requirement, and start blocking anyone not doing it.
So what's the big boys solution to spam then?
-
@dashrender SPF and DKIM
You can easily verify this by going to something like mxtoolbox to look for TXT records of large companies. -
@dashrender said in DKIM records Office 365:
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@jaredbusch said in DKIM records Office 365:
@bigbear said in DKIM records Office 365:
@joel said in DKIM records Office 365:
I was asked to setup DKIM records for Office 365.
Unless, are they asking you to configure DKIM so that another service you are using can send email on behalf of your domain?
Most likely he was asked because someone hear dabout some shiny new thing and said do it.
DKIM and SPF help so little IMO.
Exactly - email vendors don't want to be accused of not delivering mail.. so they can't really live and die by DKIM and SPF.
My guess is that it is mostly used by SMBs where people tend to get overly concerned about security, mistake how email works and think that things like this are some sort of requirement, and start blocking anyone not doing it.
So what's the big boys solution to spam then?
Useful things Like actually scanning the email to look for patterns. DKIM and SPF aren't bad, but they're unofficial and don't address the actual problem but attempt to address an artefact of the problem. And they do literally nothing against the worst spammers, like Source Media, who use all addresses covered by things like this.
-
@scottalanmiller Who isnt doing content scanning for incoming emails? Does such a place even exist?
-
@momurda said in DKIM records Office 365:
@scottalanmiller Who isnt doing content scanning for incoming emails? Does such a place even exist?
Even free solutions do that now. And have for a long time, actually. In 2003 it was a standard feature on a "build it yourself" system.
DKIM and SPF do so little to influence spam receipt. If you aren't scanning, you must get flooded with stuff.
-
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@jaredbusch said in DKIM records Office 365:
@bigbear said in DKIM records Office 365:
@joel said in DKIM records Office 365:
I was asked to setup DKIM records for Office 365.
Unless, are they asking you to configure DKIM so that another service you are using can send email on behalf of your domain?
Most likely he was asked because someone hear dabout some shiny new thing and said do it.
DKIM and SPF help so little IMO.
Exactly - email vendors don't want to be accused of not delivering mail.. so they can't really live and die by DKIM and SPF.
My guess is that it is mostly used by SMBs where people tend to get overly concerned about security, mistake how email works and think that things like this are some sort of requirement, and start blocking anyone not doing it.
So what's the big boys solution to spam then?
Useful things Like actually scanning the email to look for patterns. DKIM and SPF aren't bad, but they're unofficial and don't address the actual problem but attempt to address an artefact of the problem. And they do literally nothing against the worst spammers, like Source Media, who use all addresses covered by things like this.
But so far even ML has an SPF, so it wouldn't be that bad eh?
-
Also the MX records need to be updated since you don't need to prove ownership anymore:
-
@dbeato said in DKIM records Office 365:
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@jaredbusch said in DKIM records Office 365:
@bigbear said in DKIM records Office 365:
@joel said in DKIM records Office 365:
I was asked to setup DKIM records for Office 365.
Unless, are they asking you to configure DKIM so that another service you are using can send email on behalf of your domain?
Most likely he was asked because someone hear dabout some shiny new thing and said do it.
DKIM and SPF help so little IMO.
Exactly - email vendors don't want to be accused of not delivering mail.. so they can't really live and die by DKIM and SPF.
My guess is that it is mostly used by SMBs where people tend to get overly concerned about security, mistake how email works and think that things like this are some sort of requirement, and start blocking anyone not doing it.
So what's the big boys solution to spam then?
Useful things Like actually scanning the email to look for patterns. DKIM and SPF aren't bad, but they're unofficial and don't address the actual problem but attempt to address an artefact of the problem. And they do literally nothing against the worst spammers, like Source Media, who use all addresses covered by things like this.
But so far even ML has an SPF, so it wouldn't be that bad eh?
It doesn't hurt to have it. But it's not very important.
-
@scottalanmiller said in DKIM records Office 365:
@dbeato said in DKIM records Office 365:
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@scottalanmiller said in DKIM records Office 365:
@dashrender said in DKIM records Office 365:
@jaredbusch said in DKIM records Office 365:
@bigbear said in DKIM records Office 365:
@joel said in DKIM records Office 365:
I was asked to setup DKIM records for Office 365.
Unless, are they asking you to configure DKIM so that another service you are using can send email on behalf of your domain?
Most likely he was asked because someone hear dabout some shiny new thing and said do it.
DKIM and SPF help so little IMO.
Exactly - email vendors don't want to be accused of not delivering mail.. so they can't really live and die by DKIM and SPF.
My guess is that it is mostly used by SMBs where people tend to get overly concerned about security, mistake how email works and think that things like this are some sort of requirement, and start blocking anyone not doing it.
So what's the big boys solution to spam then?
Useful things Like actually scanning the email to look for patterns. DKIM and SPF aren't bad, but they're unofficial and don't address the actual problem but attempt to address an artefact of the problem. And they do literally nothing against the worst spammers, like Source Media, who use all addresses covered by things like this.
But so far even ML has an SPF, so it wouldn't be that bad eh?
It doesn't hurt to have it. But it's not very important.
I would say that SenderID is dead, hence SPF has little affect on the initial delivery of your email and is only used when someone is replying to your message.
DMARC and DKIM are more relevant to setup with your primary provider and has benefits.
But I think Scott is saying SPF and even DKIM do little to actually stop spam, and SenderID is a dead project so SPF does nothing at all. And I agree.
-
Loving the discussion. Yes you're correct we were asked by a SMB to enable it because they suffered some spoofing emails recently. ie someone internally (and externally) received an email appearing to be from someone inside the office and was in reference to obtaining card details etc.
So in a nutshell, whats actually the different between DKIM and SPF? Office 365 give you the DNS records to apply when you set it up and give you the SPF by default. If DKIM was better/more important you'd expect them to add that in also when you setup the tenant?
I have a meeting with the client today so will discuss it more with them. Apparently the CEO's friend works for Google security and said they should enable the DKIM records hence why they asked us to do so.
thanks
-
I am willing to bet the email that was spoofed used OAUTH or some other attack method. You should really dig past this for more details and get the original messages, would love to see the headers from the spoofed messages.
Its great that "bobs nephew is google security" but insist that they let you do your job.
Quick reference:
DMARC: Tells remote servers if your domain is using SPF and/or DKIM
SenderID: Was like caller ID for SPF, but caused a lot of grief.
SPF: Almost irrelevant since the failure of
SPFSenderIDDKIM: Uses a public/private key setup similar to PGP that uses domain keys for key exchange and sends an encrypted signature that can be decrypted and validated from a public key.
None of these are going to do much to block the types of attacks you would see these days.