In my previous blog I showed you how I implemented Trend Micro Hosted Email Security (HES) in my Exchange 2010 environment. Interesting case, it’s an Exchange 2010 hybrid environment with mailboxes in on-premises Exchange 2010 as well as mailboxes in Exchange Online. Centralized mail transport is used, so mail to and from Office 365 always routes via HES and the on-premises Exchange 2010 servers to Exchange Online. In this blog I will focus on implementing SPF, DKIM and DMARC in Trend Micro Hosted Email Security.
SPF in itself is covered in more detail in a previous blog post “SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part I” which can be found here: https://jaapwesselius.com/2016/08/19/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-i/.
In this scenario, mail from the inframan.nl domain (including Office 365) is only routed via the Hosted Email Security environment so the SPF record is pretty simple:
v=spf1 include:spf.hes.trendmicro.com ~all
Set this TXT record in your public domain, start sending email and when checking the header information you’ll see your all good here:
DKIM is a little more work to configure and takes a bit more time. DKIM is covered more in detail in part II of a previous series “SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part II” which can be found here: https://jaapwesselius.com/2016/08/22/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-ii/
DKIM is about signing header information using a private key, and to decipher the signature you need a public key which is stored in public DNS, accessible for every mail server on the Internet. No need to worry about the configuration, HES will deliver all the details.
In the HES console select Outbound Protection and select DomainKeys Identified Mail (DKIM) Signing.
Since nothing is configured yet we’ll end up in an empty window. Click the Add button. Check the Enable DKIM signing button. You can check which headers will be signed, you can see the Selector that’s used by HES and you can change the wait time. This is the time it takes for HES to start signing messages, and the wait time starts as soon as HES notices the public key in DNS. The default value is 48 hours, but I’ve changed this to 24 hours (since the TTL for the inframan domain is only 10 minutes).
When you click the Generate button the DKIM key pair will be generated. The private key will be stored and used by HES, the public key you have to enter in your public DNS with the assigned Selector key:
Click the Add button to add the new DKIM configuration to HES and after a few moments it will appear in the DKIM overpage page. Its status will change to Active very rapidly, and so will the DNS Record status entry.
You can use the MXToolbox (http://mxtoolbox.com/dkim.aspx) to check if your DKIM record is ok. When using the MXToolbox tool make sure you use the proper Selector key.
So, now we must wait (at least) for another 24 hours to see if all went well. So, when sending out email to my Gmail address and check the header information we can see the message is DKIM signed, and that verification of the message is successful.
The last step is to enable DMARC. For outbound messages this is not a big issue since the verification for outbound email is performed by the recipient’s email server. You only have to set a DMARC record in public DNS.
Note. DMARC in itself is explained in a previous blogpost: SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part III – https://jaapwesselius.com/2016/08/23/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-iii/
At this moment I want to enable DMARC verification, but don’t want my outbound email to be quarantined or rejected, so I use none as the policy. DMARC reports should be sent to a special dmarcreports mailbox, so we get the following DMARC record in DNS:
When checking the record with MXToolbox.com the record is ok:
The final test is sending out an email to a mailsystem that does perform DMARC verification, and luckily Gmail will do that (but so does Office 365). So, when sending an email to my Gmail account and check the header we will see DMARC verification is successful:
In earlier blogpost I already explained the fundamentals of SPF, DKIM and DMARC. In the past two blog I showed you how to enable SPF, DKIM and DMARC (for my on-premises Exchange 2010 environment) for outbound email. DKIM signing is possible to perform on Exchange on-premises using a 3rd party solution like this on found on GitHub, but using an online solution like in my environment Hosted Email Security from Trend Micro gives you less maintenance and less complexity. Another advantage is the inbound DKIM and DMARC verification, which is the topic of my next blog.