grandeduc - Fotolia


Keep email safe with Exchange TLS and cloud-based ATP

There are a bevy of native tools from Microsoft that can aid Exchange administrators in securing email messages and protecting against malicious links and attachments.

A number of technologies and services matter to an Exchange administrator securing email against threats or spying.

Whether it's email messages from unknown and malicious sources that include dangerous attachments, or the threat of data interception during transit, Exchange administrators have tools at their disposal from Microsoft that enhance Exchange email security on premises and in the cloud.

Encryption in transit via Exchange Server TLS

Data in transit is an important security vulnerability topic for Exchange administrators. Exchange Server and Exchange Online Protection (EOP) use Transport Layer Security (Exchange TLS) to secure data in transit in different scenarios. For example, the communications between two Exchange servers running the Mailbox server role are encrypted using TLS. The architecture lets Exchange achieve a secure channel for encrypting communications via TLS in this scenario using the self-signed certificate that is installed by default with Exchange Server. EOP uses TLS to encrypt communications in many different scenarios, such as between EOP and on-premises Exchange servers in a hybrid Exchange server deployment.

Microsoft's Domain Security feature is essentially a configuration between two organizations whereby encrypted and authenticated connections are deployed so that domain-secured email messages can be transferred.

It is also important to understand the concepts of opportunistic TLS and mutual TLS authentication. With opportunistic Exchange TLS, the sending host issuing the STARTTLS SMTP verb attempts to encrypt outbound communications. TLS offers not only a secure channel for encrypting communications -- it also offers the ability for clients to authenticate servers or servers to authenticate clients. However, with mutual Exchange TLS authentication, both servers are authenticated during the communications -- a process that forms the foundation for Domain Security.

Microsoft's Domain Security feature is essentially a configuration between two organizations whereby encrypted and authenticated connections are deployed so that domain-secured email messages can be transferred. Once Domain Security is configured, users will see messages that have passed through these encrypted and authenticated connections displayed as Domain Secured messages in Outlook or Outlook Web App. Deploying Domain Security consists not only of the required certificate deployment for mutual TLS between the two organizations, but also of running Exchange Management Shell commands to configure the remote domains and messaging connectors involved in Domain Security.

Validation via DKIM and DMARC

To combat spoofing, organizations can consider Domain Keys Identified Mail (DKIM) and Domain-based Messaging and Reporting Conformance (DMARC), which are supported in Office 365. DKIM allows an organization to digitally sign a message so that the domain, such as, included in the message is associated with the organization that owns the domain and should be responsible for that message.

This technology performs validation against the message by the receiving organization and the results, such as the DKIM validation pass or fail, are stored in the Authentication-Results header of the message. Organizations can use features such as Exchange Transport Rules to perform appropriate actions on messages to route them accordingly depending on the result of the validation process. DKIM is available for organizations that use EOP. Although EOP originally only supported DKIM validation on inbound messages over IPv6, support for DKIM validation on inbound messages over IPv4 and outbound messages have both since been added.

DMARC protects against spoofing of the 5322.From address, which is the "from" address that is displayed in a message within an email client. The message must first pass a DKIM or Sender Policy Framework test, and then the Simple Mail Transfer Protocol domain that passed this test must be the same as that specified in the 5322.From address. The results of the DMARC test are also stored in the Authentication-Results header of the message in the same way as DKIM. EOP marks inbound messages that fail the DMARC test as spam.

Link and attachment safety via ATP

Advanced Threat Protection (ATP) is a cloud-based service from Microsoft that provides protection against advanced threats. It protects Exchange Online mailboxes, hybrid deployments when EOP is performing inbound message filtering, or an on-premises Exchange Server deployment. ATP is included in the Office 365 Enterprise E5 plan, or it can be purchased as a separate subscription with certain Office 365 or Exchange Online plans.

Safe Attachments and Safe Links make up ATP's key features for Exchange email security. To protect users from opening malicious attachments, the Safe Attachments feature evaluates suspicious attachments; any deemed unsafe are launched in a special hypervisor environment. Organizations must understand the potential for delays in the message delivery process introduced by Safe Attachments. Microsoft states that, depending on which options are configured in the Safe Attachments policy, a delivery delay of anywhere between five and 30 minutes could occur as a result of the time it takes for the program to evaluate and act upon attachments. A message tracing facility provides the Exchange administrator with information on messages and attachments processed and blocked by Safe Attachments.

Safe Links is a feature that shields users from malicious links contained in an email message. If a link in a message points to a website that is recognized to be malicious, users will be directed to a warning page rather than the malicious website. This feature can also allow the users to click through to the original link, even if it was flagged as malicious. When using the Safe Links feature, be aware that the redirection to the warning page will introduce a delay in the users' Web browsing experience. A URL tracing facility gives information on links that have been processed by Safe Links, permitting administrators and IT and security managers to better understand the types of malicious links that have been clicked, as well as whether the users chose to click through the warning page.

Next Steps

Third-party tools to monitor Exchange security

Daily security habits for Exchange admins

Perform an Exchange security self-assessment

Dig Deeper on Exchange Server setup and troubleshooting