On their security blog on the 3rd of June 2019, Microsoft announced that Valimail Monitor for Office 365 is available. This option enables organizations using Exchange Online from Office 365 for their company mail to leverage DMARC.
The Road to securing E-Mail
Cyberattacks are common these days. These attacks can be actively targeting your organization over the internet or through incoming emails.
Reputation of your name and mail on the internet are important these days. Reputation attacks via email are achieved by spoofing; sending e-mail messages on behalf of your domain. To counter this, you can:
- Enable SPF (Sender Policy Framework) records, and;
- Enable DKIM (DomainKeys Identified Mail)
This is a common practice. However, after you have enabled this, you don't get any feedback about the attacks or invalid sources. To gain this insight you will need to activate DMARC (Domain-based Message Authentication, Reporting and Conformance). After you’ve enabled DMARC, via a simple DNS TXT record, you will start receiving automated mail messages with an XML file as attachment on the e-mail address listed in the TXT record.
In short: if you want to gain the insight, who is using your domain on the internet, start using DMARC.
Valimail to the rescue!
With Microsoft’s announcement, you get access to Valimail; a free tool to gain these insights.
Stop processing the XML files by hand or scripting tools. We all love (free) automation, right?
To gain access to this information, you already need to have setup the following:
- Existing SPF record containing all the authoritative mail sources
- Enable DKIM on your mail flow (activated by default in Office 365).
For outgoing mail, a transport agent can be installed on the on-premises Exchange Server or activated as an option on your anti-spam solution.
- Activated a basic DMARC record in your DNS domain, for example:
"v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org".
This example shows you’re using DMARC1 and you monitor existing connections. Please report findings to email@example.com.
How to set it up
Follow these steps to set it up:
- First go to the following website: https://go.valimail.com/microsoft.html
- Fill in the required information.
- Now wait for response from the Office 365 team of Valimail.
- Update your DNS record with the requested entry and test the record.
- Wait for your initial invite to create a login account.
- When the invite is sent, accept the invite and configure a password for your account.
Don’t forget to enable 2-factor authentication on your account or configure Azure AD single sign-on as described in Enable Valimail Single Sign-On with Azure Active Directory.
I have discussed DMARC before with customers and it's a valuable option to gain insight who is sending e-mail messages on behalf of your DNS domain. The only problem was, how to translate the XML files.
Yes, other tools are available, but for most, you will need to pay a fee to use.
ValiMail is free for organizations using Office 365, so why not use it? Regain control over your mail domain, today.
Below are some articles that explain SPF, DKIM and DMARC in more depth: