TrendMicro Hosted Email Security: SPF DKIM and DMARC Part II

In my previous blog I showed you how I implemented Trend Micro Hosted Email Security (HES) in my Exchange 2010 environment. Interesting case, it’s an Exchange 2010 hybrid environment with mailboxes in on-premises Exchange 2010 as well as mailboxes in Exchange Online. Centralized mail transport is used, so mail to and from Office 365 always routes via HES and the on-premises Exchange 2010 servers to Exchange Online. In this blog I will focus on implementing SPF, DKIM and DMARC in Trend Micro Hosted Email Security.

SPF

SPF in itself is covered in more detail in a previous blog post “SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part I” which can be found here: https://jaapwesselius.com/2016/08/19/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-i/.

In this scenario, mail from the inframan.nl domain (including Office 365) is only routed via the Hosted Email Security environment so the SPF record is pretty simple:

v=spf1 include:spf.hes.trendmicro.com ~all

Set this TXT record in your public domain, start sending email and when checking the header information you’ll see your all good here:

image

DKIM

DKIM is a little more work to configure and takes a bit more time. DKIM is covered more in detail in part II of a previous series “SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part II” which can be found here: https://jaapwesselius.com/2016/08/22/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-ii/

DKIM is about signing header information using a private key, and to decipher the signature you need a public key which is stored in public DNS, accessible for every mail server on the Internet. No need to worry about the configuration, HES will deliver all the details.

In the HES console select Outbound Protection and select DomainKeys Identified Mail (DKIM) Signing.

image

Since nothing is configured yet we’ll end up in an empty window. Click the Add button. Check the Enable DKIM signing button. You can check which headers will be signed, you can see the Selector that’s used by HES and you can change the wait time. This is the time it takes for HES to start signing messages, and the wait time starts as soon as HES notices the public key in DNS. The default value is 48 hours, but I’ve changed this to 24 hours (since the TTL for the inframan domain is only 10 minutes).

image

When you click the Generate button the DKIM key pair will be generated. The private key will be stored and used by HES, the public key you have to enter in your public DNS with the assigned Selector key:

image

Click the Add button to add the new DKIM configuration to HES and after a few moments it will appear in the DKIM overpage page. Its status will change to Active very rapidly, and so will the DNS Record status entry.

image

You can use the MXToolbox (http://mxtoolbox.com/dkim.aspx) to check if your DKIM record is ok. When using the MXToolbox tool make sure you use the proper Selector key.

image

So, now we must wait (at least) for another 24 hours to see if all went well. So, when sending out email to my Gmail address and check the header information we can see the message is DKIM signed, and that verification of the message is successful.

image

image

DMARC

The last step is to enable DMARC. For outbound messages this is not a big issue since the verification for outbound email is performed by the recipient’s email server. You only have to set a DMARC record in public DNS.

Note. DMARC in itself is explained in a previous blogpost: SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part III – https://jaapwesselius.com/2016/08/23/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-iii/

At this moment I want to enable DMARC verification, but don’t want my outbound email to be quarantined or rejected, so I use none as the policy. DMARC reports should be sent to a special dmarcreports mailbox, so we get the following DMARC record in DNS:

v=DMARC1;p=none;sp=none;pct=100;rua=mailto:dmarcreports@inframan.nl

When checking the record with MXToolbox.com the record is ok:

image

The final test is sending out an email to a mailsystem that does perform DMARC verification, and luckily Gmail will do that (but so does Office 365). So, when sending an email to my Gmail account and check the header we will see DMARC verification is successful:

image

Summary

In earlier blogpost I already explained the fundamentals of SPF, DKIM and DMARC. In the past two blog I showed you how to enable SPF, DKIM and DMARC (for my on-premises Exchange 2010 environment) for outbound email. DKIM signing is possible to perform on Exchange on-premises using a 3rd party solution like this on found on GitHub, but using an online solution like in my environment Hosted Email Security from Trend Micro gives you less maintenance and less complexity. Another advantage is the inbound DKIM and DMARC verification, which is the topic of my next blog.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s