Office 365–Enhanced Email Protection

Microsoft is rolling out improved email protection for the Exchange Online component of Office 365.  Specifically, they are expanding the use of DKIM and DMARC technologies inside Exchange Online and Exchange Online Protection (EOP).

The idea behind all of this is to expand the ability to authenticate email as coming from “trusted authenticated senders” so as to cut down and even eliminate the amount of “crud”  (spam, phishing, etc.) emails that hits a user’s Inbox.  Exchange Online has always supported the SPF framework and other basic techniques for validating email sender authenticity but newer technologies and techniques are required to combat modern threats.  DKIM and DMARC are those technologies.

DMARC (Domain-based Messaging and Reporting Compliance) is specifically designed to combat spoofing and phishing.  It specifically looks at the “5322.From” email address (the address displayed in email clients like Outlook) which the address which is often spoofed.  This is different from what the SPF looks at which is the “5321.MailFrom” address.  Here is an example (and my thanks to the OfficeBlogs folks for this info):

image

As you can see the info in the two “From” addresses does not match and DMARC catches this because DMARC evaluates both the SPF record AND the DKIM record for both domains.  In the above example phishing.com passes because there is a registered SPF record for it (smart bad guys) BUT phishing.com does not match woodgrovebank.com in the second From: address and it fails DMARC.  DMARC actually stamps this info into the header of the email:

image

Office 365 uses this DMARC tag to mark the message as SPAM.

DKIM (DomainKeys Identified Mail) is a technology used by the sender of the email to claim some responsibility for the message by associating the domain with the message.  In other words, DKIM allows senders to build domain reputation by tagging their email with DKIM.  DKIM, in turn, verifies the authenticity of the email and writes the results of the verification in an Authentication-Results header in the email.  For example if the “signing domain” (users email domain) is “example.com” then this would be a verified authentication header:

image

If the message actually failed DKIM authentication the authentication header would have a dkim-fail tag and further DKIM processing of the email would fail.

Office 365 is rolling out these technologies across all of Office 365 (DKIM has to this point been supported on on IPv6 connections, it is now rolling out across IPv4 as well) and should be completely implemented by the end of the first quarter of 2015.  It should greatly reduce (the already low) amount of phishing and SPAM email that does make it through the Exchange Online Protection filters.  And, of course, Microsoft continues to add to the capabilities of Exchange Online Protection.  In my view, this is just one more reason why Office 365 offers so much value as you would have to spend a great deal of money to provide similar levels of protection to your own, on-premise Exchange installation.

For those of you so inclined, further reading on DKIM is available here.