• Download our FREE True Price of Office 365 Whitepaper
  • Give us a call: 877-788-1617

    Stay in the know with the MessageOps newsletter:

    Prevent Email Spoofing: Best Practices for Prevention in your Office 365 Environment

    The more malicious varieties of email spoofing can cause serious problems and pose security risks; prevent email spoofing in your Office 365 tenant with these features

    Office 365 offers multiple different services to prevent email spoofing and phishing emails in your tenant. I will be highlighting three specific services below. It is highly recommended to setup these services to cut down on unwanted emails and internal emails being flagged as spam internally and externally.

    Sender Policy Framework (SPF)

    An SPF is a TXT record that is manually added to your DNS record. A SPF record is used to identify your mail server as a safe sender. When someone receives an email from you, their mail server will check back to that DNS entry to confirm that the individual is safe. It is possible that without this validation the recipient’s settings may outright flag the message as insecure.

    So how do you add a SPF record for your custom domain?

    With an administrator logged into your DNS they will want to add a new TXT record. The TXT can be written multiple ways, but the most common scenario is that you are fully hosted in Office 365. If that is the case, you will want to add the following:

    v=spf1 include:spf.protection.outlook.com -all

    If you are setup in a hybrid scenario there is more information that the record will require. For example, you will need the IP addresses for all on-premise message servers, as well as any third-party domains that need to be included. Microsoft provides a handy chart that lists the additional syntax’s you will need for your record.

    prevent email spoofing


    DomainKeys Identified Mail (DKIM)

    In conjunction with setting up your SPF record, you should also be using DKIM. This is another service that assists in helping to prevent spoofers from sending emails that appear to be coming from your domain. The main idea behind DKIM is that your email headers are encrypted by a private key that is published in your DNS record. When the recipient receives your email, it calls back to your DNS record to confirm it can decode that key. If confirmed it means that the email did legitimately come from your domain, thus being marked safe.

    So how do I setup DKIM?

    DKIM will actually already be setup for your original Office 365 domain (.onmicrosoft.com), but any custom domains will need to be added manually to your DNS record and then enabled in the Exchange Admin Center. For your custom domains, you will need to setup two CNAME records for each custom domain.

    Here is the format for the CNAME records:

    Host Name:                                    selector1._domainkey.<domain>

    Points to address or value:          selector1-<domainGUID>._domainkey.<initialDomain>

    TTL:                                                  3600


    Host Name:                                    selector2._domainkey.<domain>

    Points to address or value:          selector2-<domainGUID>._domainkey.<initialDomain>

    TTL:                                                  3600


    The domainGUID will need to be the same as the domainGUID in your MX record for that custom domain. It will appear before mail.protection.outlook.com.


    Example: You have an initial domain of contoso.onmicrosoft.com and a custom domain of contosotech.com.


    Host Name:                                    selector1._domainkey.contosotech.com

    Points to address or value:          selector1-contosotech-com._domainkey.contoso.onmicrosoft.com

    TTL:                                                  3600


    Host Name:                                    selector2._domainkey. contosotech.com

    Points to address or value:          selector2- contosotech-com._domainkey.contoso.onmicrosoft.com

    TTL:                                                  3600

    Once the CNAME records have been added to each custom domain, you will need to login into your Office 365 admin portal.

    • On the left-hand pane, click Admin Centers and then Exchange.

    prevent email spoofing

    • On the left-hand pane click Protection, then on the tab at the top, click DKIM.
      prevent email spoofing
    • Select the domain and click Enable.
      prevent email spoofing


    PowerShell command (alternate method):
    New-DkimSigningConfig -DomainName us.csgazure.com -Enabled $true

    Domain-based Message Authentication, Reporting and Conformance (DMARC)
     The final piece of the puzzle is DMARC which also authenticates the sender and helps to ensure that messages from your domain are trusted at their destination. The main purpose of DMARC though is to set a policy that determines what to do with the mail if it fails its authentication with DKIM or SPF.

    How do I setup DMARC?
    Well DMARC is setup automatically by Office 365 for inbound mail, so there is no extra needed configuration on that end. For outbound mail, you will need to create the following TXT record and add it to your DNS record:

    _dmarc.domain TTL IN TXT “v=DMARC1; pct=100; p=policy

    Domain = Your custom domain name (ex. Contoso.com)

    TTL = Should equal one hour (3600 seconds)

    pct = If set to 100, the rule will be used for 100% of email

    policy = The action that will be taken if DMARC fails.

    This can be setup to none, quarantine, or reject

    Example: _dmarc.contoso.com 3600 IN TXT “v=DMARC1; pct=100; p=quarantine

    Once set it is best practice to oversee the impact the policy has on inbound mail. You can adjust the TXT record as necessary to accommodate your needs.

    For more information regarding SPF, DKIM, and DMARC please read the following Microsoft articles:

    Set up SPF in Office 365 to help prevent spoofing

    Use DKIM to validate outbound email sent from your custom domain in Office 365

    Use DMARC to validate email in Office 365


    From Rob Vogl, Sr. Operations Specialist

    Ready to get started? Contact us today to learn more.