- Fotolia


Authenticating email in Exchange for brand protection

With help from the combined use of the SPF, DKIM and DMARC technologies, Exchange administrators can curb email spoofing to protect users and the company brand.

It only takes one user clicking on a phishing email to disrupt a company -- and to damage its reputation. But administrators can utilize technologies for authenticating emails in Exchange to stop these malicious attacks.

An enterprise that wants to prevent a security breach can implement Exchange email authentication protocols in tandem with the platform's encryption features to protect the company's reputation.

Email brand protection keeps malicious actors from using your company name for some disreputable scheme. Brand abuse occurs on a regular basis. Let's look at some examples.

  • Have you ever received an email from your credit card company, but the language or wording wasn't quite right? You might look closely at the sender address and notice it didn't come from your credit card company.
  • Has your CEO ever received an email requesting money from what looks like your accounting department? Again, the language or format of the message probably made it very clear this wasn't an internal message, but the fact that some external party sent it and your CEO received it is a problem.
  • Has a user clicked a link in an email that took them to a website where they filled in personal information only to find out the site was fake?

These are only a few examples of how a person outside of your organization can send an email that abuses your company brand. To thwart these attempts, your technical teams can employ technologies for authenticating email -- specifically SPF, DKIM and DMARC.

Get started with SPF

We're not talking about the sun protection found in sunscreen; SPF stands for Sender Policy Framework. SPF is a domain name system (DNS) TXT record entry that can be added to your external DNS. SPF is a great step toward brand protection because it can detect address spoofing.

SPF is a great step toward brand protection because it can detect address spoofing.

Your SPF TXT record should include an entry for your organization and the IP address and DNS name of any third party allowed to send email with your domain name. If your SPF TXT record is accurate, then this is one step toward allowing legitimate email to flow and blocking the messages that could harm your brand.

However, there are some limitations with SPF TXT records in Exchange. You can only have up to 10 DNS-based entries, so it's helpful to see what other brand protection options are available, as SPF records will reach their limit quickly.

How DKIM signatures stop spoofing

DomainKeys Identified Mail (DKIM) signatures place a domain-based signature in the message header that identifies the message as internal to prevent email spoofing attempts. A DKIM signature offers additional brand protection with the proper setup.

How to set up DMARC in Office 365

To set up DKIM for authenticating email, your technical team needs to enable DKIM signatures in the external email gateway. From there, the system generates a DKIM signature that you should set up in your external DNS. This setup in both areas proves that the DKIM signature in your message header belongs to your organization.

Third-party companies that you allow to send email as your organization can also use DKIM signatures. The company just needs to generate a DKIM signature for the messages that they will send under your domain, then your administrators need to add it to the external DNS. Not all third-party cloud providers offer this, so be sure to ask about it.

Last, but not least, we have DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is the key ingredient that enables SPF and DKIM to work at their highest level.

When a DMARC external DNS record is in place, it gives the organization a way to report on and understand the level of brand abuse. This reporting shows both valid messages and the brand abuse messages that would not be visible otherwise.

With DMARC enabled, you get the flexibility to use either DKIM or SPF, meaning if a message passes SPF or DKIM, then it will pass. With the limitations of SPF records, the ability to use DKIM instead is a great option.

Be aware of potential issues with authenticating email measures

The combined use of SPF, DKIM and DMARC offers the highest level of brand protection.

Authenticating email can lead to some harmful side effects, so be sure to test your setup. You can configure DMARC and SPF for detection only to determine any issues that might occur when they are fully implemented. I strongly encourage you to use a third-party reporting tool to clarify why certain messages are stopped if you use SPF and DMARC.

A good tool can help you add valid messages to your SPF record and DKIM signatures prior to enforcing DMARC. Take a measured testing approach to prevent business user impact.

Dig Deeper on Microsoft messaging and collaboration

Cloud Computing
Enterprise Desktop
Virtual Desktop