JRB - Fotolia


Exchange Online Protection adds tools to fight spammers

Secure your email with EOP tools like DKIM and DMARC that verify incoming messages aren't spam or spoofs. Avoid unauthorized email with digital signatures and authenticated domains.

Exchange Online Protection is a Microsoft email security service in the cloud. With DKIM and DMARC, EOP ensures your email is protected from spammers and viruses.

Exchange Online Protection (EOP) is the email filtering tool that all Office 365 tenants use. Microsoft constantly updates the feature set to better combat spam and virus email attacks through email hygiene for its thousands of customers.

Two of the new features worth looking into are DomainKeys Identified Mail (DKIM) and Domain-based Messaging and Reporting Compliance (DMARC). Let's take a look at the benefits these features offer.

DomainKeys Identified Mail protection

DKIM is a public key encryption method that works with Sender Policy Framework (SPF) by linking each message with the sending domain. The SPF records for a domain stipulate which servers are authorized to send email for that domain. When a server receives an email from a domain with SPF records configured, it checks to see whether the email has come from the authorized servers. If not, the email is most likely spam.

DKIM adds a digital signature to the email that your domain sends. The server checks the email to see whether the signature matches. If it does, the email has not been modified and comes from a genuine sender.

Since SPF records for any email domain are publicly available, spammers can spoof their email to come from those IP addresses. DKIM helps to prevent those spam messages by asking recipient servers to check for a valid signature in the email headers.

DomainKeys Identified Mail uses Domain Name System (DNS) to publish a public key so that anyone can validate the DKIM signature. When a user sends an email, the server from which the mail is sent calculates a crypto signature with the private key. The signature is then placed into the message headers. The recipient server can validate the header with the public key.

Major email providers like Google have offered DKIM for years and Microsoft is catching up with the technology by rolling out the feature in Exchange Online Protection. Email admins do not need to do anything on your Office 365 tenant for DKIM to work. If you want to test the feature, try sending an email from your Google account to your Office 365 mailbox and analyze the message headers.

The Authentication Headers section should summarize the DKIM checks performed by Exchange Online Protection.

Authentication-Results: spf=pass (sender IP is

 smtp.mailfrom=gmail.com; theucguy.onmicrosoft.com; dkim=pass (signature

 was verified) header.d=gmail.com;infraexperts.onmicrosoft.com; dmarc=pass

 action=none header.from=gmail.com;

If a message fails DKIM verification, the header will say dkim=fail with the reason, such as invalid body hash, key query timeout or no key for signature, in parentheses.

Domain-based Messaging and Reporting Compliance

DMARC is designed to prevent email spoofing and is also useful against phishing attacks. Spammers often spoof the "From" (5322.From) address, which is displayed in email clients such as Outlook.

If you use a consumer email service like Hotmail or Gmail, you may have received an email from your own email address -- a typical example of spoofing 5322.From.

The 5321.MailFrom address is used to check SPF records. A typical spoofed message header is shown below:

5321.MailFrom: [email protected]

5322.From: [email protected]

Subject: Hello

Domain-based Messaging and Reporting Compliance protects users by evaluating SPF and DKIM, and then determines if either domain matches the domain in the 5322.From address. In the example above, the spammer sets up SPF records for the domain abc.com to the IP address he or she uses to send email. Therefore, the receiving SPF checks will pass, but since abc.com is not equal to xyz.com, it fails DMARC.

The Authentication Results section in message headers lists whether DMARC passed or failed. If DMARC failed, it will ask the recipient server to quarantine or reject the message.

Authentication-Results: spf=pass (sender IP is

 smtp.mailfrom=gmail.com; theucguy.onmicrosoft.com; dkim=pass (signature

 was verified) header.d=gmail.com;infraexperts.onmicrosoft.com; dmarc=pass

 action=none header.from=gmail.com;

Exchange Online Protection has DMARC enabled and will add its results to incoming email message headers. DMARC policies are published with DNS TXT resource records and instruct email receivers what to do with the failed DMARC mail.

For messaging admins who have been around for a while, EOP is the rebranded version of Forefront Online Protection for Exchange.

Let's examine the DMARC record for Microsoft:

_dmarc.microsoft.com.   3600    IN      TXT     "v=DMARC1; p=none; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"

The "p" value denotes the policy for the organizational domain. The values represent none, quarantine and reject. "Pct" stands for the percentage of messages subjected to action, "rua" specifies where to send the aggregate reports.

If the DMARC fails, Microsoft's record instructs the recipient server not to take action and to send aggregate reports to Agari, a third-party security company. The "p" values can be quarantine or rejected, which tells the recipient server to quarantine or reject the email respectively. A DMARC record only requires the "v" (version) and "p" (policy) tags.

Exchange Online Protection with SPF, DKIM and DMARC checks makes the spammer's life much more difficult.

Next Steps

EOP gets an ATP add-on

Is Exchange 2013 antimalware protection enough?

How to select an email security gateway product

Dig Deeper on Exchange Server setup and troubleshooting