TrendMicro Hosted Email Security: SPF DKIM and DMARC Part I

A couple of years ago I have been working with the TrendMicro Hosted Email Security (HES) solution and I was very satisfied with it. With the upcoming SPF, DKIM and DMARC awareness I was looking for online solutions that offer this kind of security measures and I found that HES now offers these solutions as well.

I have a hybrid Exchange environment with multi-role Exchange 2010 servers, Exchange 2010 Edge Transport servers and a hybrid configuration. There’s no dedicated Exchange 2016 server for this, the hybrid configuration just uses the existing Exchange 2010 servers. And this works well. There’s an additional namespace o365mail.inframan.nl, this is used solely for SMTP communication between Exchange Online and the on-premises Exchange 2010 servers (without the use of the Edge Transport servers). The configuration looks like this:

image

This a hybrid configuration with a centralized mailflow. All email is sent and received through the on-premises Exchange environment, including email from and to Office 365. So, email sent to the internet by users in Office 365 are sent first to the Exchange 2010 servers, and then via the Edge Transport servers to the Internet. This way you have full control over your Internet mail flow.

The Edge Transport servers don’t do a great job when it comes to message hygiene. You can configure Realtime Block Lists (RBL) like Spamhaus, configure content filtering using word lists and attachment filtering, but still (a lot of) spam ends-up in the user’s mailboxes. Therefore 3rd party solutions like Cisco Email Security Appliance (ESA, formerly known as IronPort) are used in front of on-premises Exchange solutions

But back to HES…. When using a cloud service in this configuration incoming mail is sent to the cloud service which does all the necessary security stuff. From there it is delivered to the on-premises Exchange 2010 servers. In this scenario mail is still delivered to the Edge Transport servers because these are located in the DMZ.

Outbound mail is sent from the on-premises Exchange servers to the HES cloud service and from there to the intended recipients on the Internet.

In our scenario, we now have the following configuration:

image

Instead of pointing to the Edge Transport servers, the MX record now points to in.hes.trendmicro.eu. In the TrendMicro HES console, when configuring the domain, you also specify the inbound servers (i.e. Edge Transport servers smtphost.inframan.nl) en when outbound filtering is enabled you also specify where the outbound messages are coming from.

The Send Connector in Exchange 2010 needs to be changed as well. Instead of using MX for delivering mail you need to specify a smarthost for HES, which is relay.hes.trendmicro.eu.

Time to test. When sending an email from my Gmail account to Exchange 2010 via HES and checking the header information we can see the following mail flow:

image

Obviously, Gmail delivers at TrendMicro which in turn delivers to the Edge Transport server. The other way around, from Exchange 2010 to Gmail we see a similar mail flow:

image

Hotmail messages, or messages from/to my own Exchange 2016 environment show a similar mail flow, so this looks good. And I must admit, less spam messages are delivered in the user’s mailboxes.

HES can also put inbound messages in quarantine when HES is not sure whether the message is spam or not. It is kept in the cloud and a notification message is sent to the user. The user can determine if it is spam, if not it can be released and the sender can be approved:

image

I have an Exchange 2010 hybrid environment with centralized mail flow, so mail sent from an Office 365 mailbox should be routed from Exchange Online to the Exchange 2010 Hub Transport server, the Exchange 2010 Edge Transport server and HES to the recipient. So, when I send an mail from user Hélène Motard in Exchange Online (hmotard@inframan.nl) to my Gmail address I can see the following header information:

image

But, at this moment I’m not looking for the anti-spam and anti-virus solution, but I’m primarily interested in the SPF, DKIM and DMARC features of the Hosted Email Security solution. This is the subject for the next blog.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s