BEMO Welcomes One New Team Member
BEMO is proud to announce our newest hire of 2023: Raymond King.
Technology is ever-evolving. Every day there are new ways to interact online and with those many points of access, open many doors for security issues. So, how does one stay on top of new tech while simultaneously protecting it? Just as tech is ever-evolving, so is our learning. In this guide, we will teach you the five steps you need to take to fully secure your email though Microsoft. While Microsoft has built-in features to protect you and yours, they aren't always configured "out of the box". This guide will show you just how to make the most of your current offerings and suggest some some free tools we use every day. At BEMO, we always want our customers to feel empowered. So, while we are happy to configure your email security or manage your migrations, we also want to educate you so you have the option to do it yourself. So, without further ado, here is your complete guide to Microsoft email security.
Below you'll find the five steps to email security with Microsoft. We recommend they be done in the order provided. You can click on any of the links below to navigate to a specific section.
DKIM, DMARC and SPF? If these sound more like a boy band member nicknames or tech style gibberish to you don't worry! We will explain these acronyms, tell you why they're important and show you how to enable them. Plus, we will show you some (free!) tools, like MxToolbox, to use to make sure they are working correctly. Every day we use different tools, like MxToolbox, to make sure our clients' emails are protected and to ensure we have enabled DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) and SPF (Sender Policy Framework) and after this explanation, you will be able to manage your company's emails with confidence as well. Let’s get started!
This tool offers monitoring and lookup solutions to help IT teams assess the overall health of their company's DNS by means of 158 different tests that can completed in seconds. We use it everyday to determine the health of our leads, our clients, and our own network.
A Sender Policy Framework (SPF) record is a type of Domain Name System (DNS) record that can help to prevent email address forgery. Spammers can falsify email headers to make it look like they're sending from an email address on your domain. They can pretend to be you, allowing them to phish your users for private account information, or otherwise abuse your reputation. When they hijack an email account, they alter the email header details to show the messages they're sending are coming from the valid owner of the account.
Adding an SPF record can help prevent others from spoofing your domain. You can specify which mail servers are permitted to send an email on behalf of your domain. Then, when incoming mail servers receive email messages from your domain name, they compare the SPF record to the outgoing mail server information. If the data doesn't match, they identify the email message as unauthorized, and will generally filter it as spam or reject it.
Adding an SPF record can decrease spoofing attempts to your domain; however, they are not a full-proof guarantee against all spam.
To correctly set the SPF for your domain, answer the following two questions:
From what server or servers will email from the domain originate?
If you’re sending email from your workstation by using your internet service provider’s (ISP) mail servers, you might want to consider their servers. You must take all possible (legitimate) sending servers into account.
How do you want illegitimate email to be handled?
Do you want it to be rejected outright, or do you want the message to be classified as a soft fail, meaning that the email will be subjected to further scrutiny?
The example in this section assumes that you have the following considerations for your email on a specific domain:
In this situation, you would create the following rule and add it to a TXT record:
The following list shows how each part of the record is defined:
The all setting is an essential aspect of the record and has the following basic markers:
A Sender Policy Framework (SPF) record is a type of Domain Name Service (DNS) TXT record that identifies which mail servers are permitted to send an email on behalf of your domain. The purpose of an SPF record is to detect and prevent spammers from sending messages with forged From addresses on your domain.
To test your SPF, go to https://mxtoolbox.com/spf.aspx and enter your domain. If set correctly, your SPF will pass for its tests as shown below
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam.
DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message. The recipient system can verify this by looking up the sender's public key published in the DNS. A valid signature also guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed. Usually, DKIM signatures are not visible to end-users, and are affixed or verified by the infrastructure rather than the message's authors and recipients.
First, for each domain, you will need to create two CNAME records in your public DNS Zone. To build the CNAME records, you will use the following format:
selector1-<domainGUID>._domainkey.<inititalDomain>
The <domainGUID> will be the first part of the MX record as listed for Exchange Online. For example, to enable Domain Name "contoso.com" for DKIM, I will look up the MX record (you can use https://mxtoolbox.com/MXLookup.aspx to find the MX record), and see that the MX record points to:
You take the first part, “contoso-com”, and leave off the “.mail.protection.outlook.com”. The <InitialDomain> is the prefix part of your tenant name. In this case, the tenant domain is contoso.onmicrosoft.com. So, the <initialdomain> is contoso.
Now, to see it all together, you will build it as follows:
Now that you have created the DKIM first record. You will need to repeat the same steps and enter a second record as shown below.
Once done, you should see something similar within your DNS editor (below, I am using GoDaddy)
Now let’s validate that your DKIM entries have been configured correctly. Here is what you currently have:
The results include the information that is “stored” in the TXT record. In our case, the Office 365 TXT record stores the Public key of the Office 365 DKIM selector, that represent our domain name.
When using the DKIM records lookup, you will need to provide:
Once you have the DNS records in place and have verified, they are publicly accessible, go to:
Domain-based Message Authentication, Reporting & Conformance (DMARC), is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
DMARC policies define how SPF and DKIM records should be handled by email servers. A critically important element of DMARC policy is that it also provides a reporting mechanism so domain administrators can identify if email is failing or if an attacker is attempting to spoof a given domain.
DMARC policies are published in the DNS as text (TXT) and announce what an email receiver should do with non-aligned mail it receives. DMARC records follow the extensible “tag-value” syntax for DNS-based key records defined in DKIM. The following chart illustrates some of the available tags:
v=DMARC1; p=quarantine; rua=mailto:reports@contoso.com; ruf=mailto:reports@contoso.com; adkim=r; aspf=r; rf=afrf
v=DMARC1; p=quarantine; pct=100
To check that you have correctly set your DMARC, do the following steps:
That’s it! You have now successfully implemented SPF, DKIM and DMARC for your domain. By implementing enabling these tools, you have drastically reduced the probability of your company becoming a victim of a data breach via email.
How did it go? Leave your questions or comments below or reach out for a 15-minute meeting.
Next up: set up Anti-Spam and Anti-Malware with EOP (Exchange Online Protection). Follow these steps:
You are done with setting up Anti-spam!
I would advise the following:
First, you will need to create a new contact within Office 365 in order to have someone receive notifications, or at least apply this rule to the current Global Admin.
Now if any of your mailboxes are sending out spam you will know about it!
Schedule a meeting with us to learn more about implementing Exchange Online Protection and all the other email security tools offered by Microsoft.
Next up? Step Three:It's time to configure Office Message Encryption. Be prepared, these instructions aren't for the faint at heart! Enabling OME is much more difficult than the other Microsoft email security products but hopefully these steps will make it as pain-free as possible!
No, these steps aren't easy but...short answer: yep. You need security.
If you're still not convinced why you need email security Microsoft breaks it down here nicely:
"People often use email to exchange sensitive information, such as financial data, legal contracts, confidential product information, sales reports and projections, patient health information, or customer and employee information. As a result, mailboxes can become repositories for large amounts of potentially sensitive information and information leakage can become a serious threat to your organization." So, let's learn a bit about OME, shall we?
Office Message Encryption (OME) allows your organization to send and receive encrypted messages, even to people outside of your organization. Encryption makes it so that only your intended audience can view the sensitive information your messages contain.
Alright, now that we've got the basics under our belts, let's get started!
You will be sent to:
If your organization uses multi-factor authentication (MFA) to connect to Exchange Online PowerShell, follow the instructions: MFA requires you to install the Exchange Online Remote PowerShell Module, and use the Connect-EXOPSSession cmdlet to connect.
You will get the following prompt:
Click Install
Once done, a similar screen will open
Once done, you should see the screen below
Connect to Exchange Online PowerShell by using MFA
Once logged in, you will get a screen similar to:
12. Disable IRM templates in OWA and Outlook
13. View the IRM Configuration
By default, when you set up the new Office 365 Message Encryption capabilities, users in your organization can send messages to recipients that are outside of your Office 365 organization. If the recipient uses a social ID such as a Google account, Yahoo account, or Microsoft account, the recipient can sign in to the OME portal using the social ID.
By default, if the recipient of a message encrypted by OME doesn't use Outlook, regardless of the account used by the recipient, the recipient receives a limited-time web-view link that lets them read the message. This includes a one-time passcode. As an administrator, you can manage whether or not one-time passcodes can be used to sign-in to the OME portal.
To manage whether or not one-time passcodes are generated for Office Message Encryption
By default, the Encrypt button in Outlook on the web is not enabled when you set up OME. As an administrator, you can manage whether or not to display this button to end-users. To manage whether or not the Protect button appears in Outlook on the web:
The iOS mail app can't decrypt messages protected with Office 365 Message Encryption. As an Office 365 administrator, you can apply service-side decryption for messages delivered to unenlightened clients like the iOS mail app. When you choose to do this, the service will send a decrypted copy of the message to the iOS device. The message is stored decrypted on the client device. The message also retains information about usage rights even though the iOS mail app doesn't apply client-side usage rights to the user. This means that the user can copy or print the message even if they did not originally have the rights to do so.
However, if the user attempts to complete an action that requires the Office 365 mail server, such as forwarding the message, the server will not permit the action if the user did not originally have the usage right to do so. Still, end-users can work around Do Not Forward usage restriction by forwarding the message from a different account in their iOS mail app.
Regardless of whether you set up service-side decryption of mail, any attachments to encrypted and rights protected mail cannot be viewed in the iOS mail app. If you choose not to allow decrypted messages to be sent to iOS mail app users, users receive a message that states that they don't have the rights to view the message. By default, service-side decryption of email messages is not enabled.
You did it! Congratulations. As you can see, setting up OME is no small undertaking but hopefully, these steps got you through to the other side. If you have any questions or thoughts, please feel free to reach out here:
We implement OME with all of our cybersecurity plans. Check them out 👉 here
Next up: Step Four
In Step Four, we're going to walk you through the step-by-step process for setting up Office 365 Advanced Threat Protection (ATP).
There are three parts to setting up Office 365 Advanced Threat Protection:
To enable Office 365 ATP you will need one of the follow licenses:
OK, let's get started!
Once the appropriate licenses are assigned to all of your users, follow these steps to implement the 'Safe Links' feature:
Option 1 - More restrictive policy
Option 2 - Less restrictive policy
Check the box for Apply the above selection if malware scanning for attachments times out or error occurs
Apply the rule "If the recipient domain is"
Click the Save button
Note: It can take from 5 sec to 5 min to apply settings to tenant
Click on ATP Safe Links, then Double-click on Default
A popup window will open
ATP Safe Links has been set up!
The following window will show up:
Within the Impersonation section, click Edit
Congratulations! You've now completed all three steps to set up Office 365 Advanced Threat Protection (ATP).
Need help or prefer we do it for you? Click on the button below for help:
Last but certainly not least: Step Five: MFA
With 81 percent of data breaches being due to weak, reused, or stolen passwords, turning on Multi-Factor Authentication (MFA) for all of your apps is necessary. In Step Five, we'll show you how to setup MFA for your Office 365 account paired with the Microsoft Authenticator smartphone app.
What is MFA? Follow the link to read a quick blog about what MFA is and why you need it.
While you can authenticate by typing in a 6-digit verification code sent your phone or email address, having to jump back and forth between tabs and apps and then typing out the code is really annoying. The Microsoft Authenticator app alleviates this poor end user experience.
Before we begin, you or your IT administrator must have enabled MFA and the Azure feature called “Users can use preview features for registering and managing security info – enhanced” before being able to follow the steps below.
Let’s get started!
Once you have downloaded the app, please make sure you allow the Microsoft Authenticator app to use your camera (if asked). If the app cannot use the camera, you will not be able to complete the setup correctly. Once the app is installed, you will need to set up your account to connect to the app.
Now that the app has been registered against your account, let’s validate that it has been set up correctly
You will receive a ‘pop up’ notification from Microsoft Authenticator. You will need to press the Approve button to move forward. The nice thing is that, compared to SMS, MFA does not require you to type any number, making the process faster and easier.
If the setup is successful, you will receive the following confirmation: “Notification approved”
Now, you will set up a backup option: the normal MFA via SMS. You will be asked to enter your mobile phone number and decide if you want to have your validation done via an SMS or by having Microsoft call you.
In the example below, I have chosen the SMS option. Once you receive the SMS, enter the 6 digit code and click Next
When successful, you will receive the following screen “SMS verified successfully”
You are now ready to use Microsoft Authenticator as the default sign-in method
And...that's a wrap! Whew! If you've made it this far, you deserve a serious pat on the back. Congratulations in making it through all five steps in our complete Microsoft email security series!
Questions? Comments? In need of praise for a job well done? Drop us a line in the comments section below to let us know how it went! 👇
As always, BEMO is happy to help. Click on the button below to reach out to our team today.
BEMO is proud to announce our newest hire of 2023: Raymond King.
In today's interconnected and data-driven world, safeguarding sensitive information has never been more critical. As businesses continue to rely on...
Securing your SOC 2 compliance badge is no small feat, and at the core lies the Trust Services Criteria (TSC). These criteria apply to your...
Leave us a comment!