In today’s environment, everything requires some type of authentication. Whether you need a driver license or an alternate form of identification or, you are paying with your debit card and must have a pin. In order to accomplish these tasks, you must be able to prove you are who you say you are.  In the world of emails, the reality is the same. To be able to penetrate the walls of ISP filters, you must prove you are a legitimate and authorized sender. You need to be able to prove you are not sending on behalf of someone or need to prove your identity has not been compromised. By utilizing SPF, DKIM, and DMARC you will be able to detect, protect, and help prevent spam and spoofing.

laptop screen graphic

SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) are three systems that should be implemented in your Office 365 tenant to best prevent spoofing and to validate emails sent and received from your organization.  When configured correctly these systems will declare and verify who can send e-mails from a given domain, authenticate emails based on asymmetric cryptographic keys, and help determine what to do when an email fails SPF or DKIM checks.  These systems are essential to preventing spoofing, reducing the chances that your message is treated as spam by a digital signature, and to help the receiving organization decide what to do with an e-mail that fails previous checks and create a feedback loop to allow course correction.

When setting up your custom domain in Office 365, Microsoft requires that a SPF TXT record must be added to your DNS to prevent spoofing.  The function of SPF is to select which mail servers are authorized to send mail on your organization’s behalf.  Recipient mail systems will then refer to the SPF TXT record to ensure that a message coming from your domain is verified to be coming from the authorized server the SPF selected.  For example, A SPF TXT record is added to that lists the Office 365 email servers as authorized.  A user at sends an email to a user at, the receiving messaging server will look up the SPF TXT record for to ensure it is coming from a listed server.  If the receiving server sees that the sending mail server is not listed on SPF TXT record, the mail will be regarded as spam.

DKIM is used to help prevent spoofers from sending emails that look like they are coming from your domain.  A digital signature is added to your message header when DKIM is configured.  This signature also authorizes your domain to associate or sign its name to an email message by using cryptographic authentication.  Allowing systems that receive your email to use the digital signature to determine if the email is legitimate.  This works by using a private key to encrypt the header in your domain’s outgoing email.  Next a public key is published in your domain’s DNS record so receiving servers can decode the signature.  The public key is used to verify the email are truly coming from the sender and not someone spoofing the domain.  Microsoft creates a private and public key pair, enables DKIM signing, and configures the Office 365 default policy for your custom domain upon tenant creation, but Microsoft does recommend manual configuration of DKIM for custom domains if the following circumstances are met:

  • You have more than one custom domain in Office 365
  • You’re going to set up DMARC too (recommended)
  • You want control over your private key
  • You want to customize your CNAME records
  • You want to set up DKIM keys for email originating out of a third-party domain, for example, if you use a third-party bulk mailer.

Lastly, the addition of using DMARC in conjunction with SPF and DKIM to authenticate mail senders and ensure that destination email systems trust messages sent from your domain.  DMARC assists receiving mail systems to determine what to do with messages sent from your domain that fail SPF or DKIM checks.  Like the SPF records, DMARC is a DNS TXT record.  DMARC TXT records validate the origin of email messages by verifying the IP address of an email’s author against the alleged owner of the sending domain.  The DMARC TXT record identifies authorized outbound email servers.  Destination email systems can then verify that messages they receive originate from authorized outbound email servers.

Spam and spoofed mail have been a hindrance to IT administration since the inception of email correspondence.  These types of messages are being sent more and more every day, and even with the amount of anti-spam tools, there is still a very high amount of these messages being processed.  The adoption of these three new tools detecting, protecting, and preventing spam and spoof messages can be done with ease.

For more information visit our Ironscales product page.

Was this article helpful?