In the previous two blogpost I discussed how to configure SPF, DKIM and DMARC for outbound messages using the TrendMicro Hosted Email Security solution, including Office 365 centralized mail transport. In this blog I’ll discuss SPF, DKIM and DMARC for inbound messages (i.e. the verification part) using the TrendMicro solution.
For inbound protection there’s not too much configuration to do, the only thing when using an online service is enabling the services.
In HEC Console select Inbound Protection and select Domain-based Authentication. Here you’ll find the options for SPF, DKIM and DMARC:
Select the Sender Policy Framework (SPF) option and in the SPF window check the enable SPF checkbox and when needed, check the Insert an X-header into email messages checkbox:
To enable inbound DKIM verification, select Inbound Protection, select Domain-based Authentication and select DomainKeys Identified Mail (DKIM) Verification. If you haven’t configured and inbound DKIM you’ll see only the Default domain settings, which is a disabled setting.
You can configure this for all domains or just for one domain (i.e. the inframan.nl domain in my environment) using a drop down box. Check the Enable DKIM verification checkbox and when needed check the insert an X-header into email messages checkbox. You can also add a tag to the subject line in case of DKIM verification fails by checking the Tag subject checkbox. Be careful, when doing this with digitally signed messages you will destroy the digital signature (the size of the message will change and therefore the hash of the message), so the recipient will see an error message regarding a malformed signature. To prevent this check the Do not tag digitally signed messages checkbox:
The last step is to enable DMARC verification. Again select Inbound Protection, select Domain-based Authentication and select Domain-based Message Authentication, Reporting and Conformance (DMARC).
No inbound DMARC verification has been enabled yet, so only the (disabled) default setting is shown:
To enable DMARC verification click Add, in the Add DMARC Settings window check the Enable DMARC checkbox, check the insert an X-header into email messages checkbox and check the Deliver daily reports to senders checkbox:
In Reject option, you can select Delete entire message (default), but also select Do Not Intercept or Quarantine, in case you don’t feel comfortable deleting inbound messages. Click Add to store the DMARC verification to the HES configuration.
To test the inbound setting I can send an email from my Gmail account to my inframan.nl account. When checking the header of the message I can see the DKIM signature that Gmail adds, I can see the Received SPF header and I can see the Authentication results.
As you can see everything is verified successfully.
In last three blogposts I’ve been discussing Hosted Email Security from TrendMicro. In the first two blogpost I showed you how to enable SPF, DKIM signing and DMARC verification for outbound email (i.e. stuff that’s performed by email servers of the recipients) and in this last blogpost I’ve shown you how to enable SPF, DKIM and DMARC verification, i.e. the services you have to enable when receiving email messages.
Especially for inbound messages using an online service is very convenient since it will remove the complexity and the hassle of maintaining the configuration.