DKIM basically works like an SSL certificate does on a website. When the mail is generated it is assigned a hash, when the recipient receives the email their email system can inspect the hash and check it against the public key. If they hash matches then the email server knows that nobody has tampered with the mail while in transit. This prevents man in the middle attacks. The tricky part here is how to get the keys sorted out on your email server, and how to present the public key to the outside world. Lucky for us there are ways to do this, as you would imagine with any RFC based method there is a standard. Basically you create a private/public keypair, if you are using office 365 this is already done for you, but you have to enable DKIM in order to use it, it’s not necessarily on by default. Link to O365 to enable https://docs.microsoft.com/en-us/office365/securitycompliance/use-dkim-to-validate-outbound-email
Next you need the public key to share with the world. If you are using your own email server on premise, then you likely have the private and public keys but if you use O365 you need to get them, and this part is a little tricky. It’s actually easiest to use a powershell command to get this, and if you have more than one “Selector” there will be 2 keys to retrieve. By the way best practice is to have 2 selectors and make sure you enter both. Microsoft will rotate between the two selectors on a regular basis so you don’t want to not have the keys available. The powershell code is in the link above for the DKIM setup.
In order for all this to work right, you also need to publish CNAME records for the “Selectors”. The selectors are the hosts that hold the keys for people to query against, and Microsoft generates 2 selectors for your domain name if you are using O365. If you use private email you’ll have to host them another way. After that is all complete you’ll need to have your email server check for DKIM, and you can decide what to do if the message fails DKIM. We use Barracuda Email Security Service internally. This scans our inbound and outbound mail for us, it’s fully compatible with Office 365. We do not block DKIM failures we only quarrantine them at this point in time, because there are simply too many mis-configured DKIM deployments out there. I would prefer that my users have the opportunity to take a look at the message in quarantine and decide if it looks legit or not. Putting in the quarantine at least highlights that it’s suspicious, so our users use extra care when evaluating those messages.
Last but not least, is DMARC. DMARC stands for Domain-based Message Authentication, Reporting and Conformance. Which is a big long set of words that means this protocol will protect your email from being spoofed. We live in a day that most of the cybersecurity threats come in through email phishing attacks. I’m not going to get into detail on what phishing is, because I think most people sort of understand it now. In basic terms it’s when somebody sends an email to a user impersonating somebody else to trick them into giving up information. DMARC combines information from SPF and DKIM to correlate information and decide if something looks correct. Again DMARC is implemented using TXT records in Public DNS. Below is an example of what a demarc record would look like if you were just getting started
v=DMARC1; p=none; fo=1;
To break the record down v=DEMARC1 tells everyone that this TXT record is a DMARC record. The p=none shows that we aren’t applying a policy, we could also specify quarantine or reject here to take the respective action if dmarc fails. lastly is the fo=1 section which specifies the level of forensic reporting. The RFC specifies the options and what their values are, but this is the most common setting when you are getting started. It allows you to start evaluating demarc without blocking anything and formulate a good process based on the results. With our barracuda email security essentials subscription we can use their Sentinel product to review our dmarc reporting results and make recommendations based on results.
I would strongly consider using a tool to process your mail flows and further enhance your security. Take a look at the barracuda essentials suite if you are an Office 365 user it’s especially awesome. They can do your inbound/outbound mail filtering, they can integrate with DKIM, SPF, and DMARC. They provide AI based protection of all user mailboxes for viruses and ATP threats. They can also spool your mail if your mail service goes down, then deliver when it is back up agian. Also included in the suite is cloud to cloud backup of mail, sharepoint, and onedrive. It’s really a great bundle with lots of value and intelligence into your data and mail traffic. Last but what certainly could be the best part is they include a product called Phishline, which has videos and training for users to help them spot bogus email. Phishline can also do simulated phishing attacks to see if your users are paying attention, it creates fake scams to see if users will click on the phishing attempts. It can be a great tool to evaluate the effectiveness of training, and prove you are meeting goals. It’s a fully cloud based service sold as a subscription per active user. Contact us if you need any help with sorting all of this out, we’d be happy to help.