In the previous two blogpost I discussed how to configure SPF, DKIM and DMARC for outbound messages using the TrendMicro Hosted Email Security solution, including Office 365 centralized mail transport. In this blog I’ll discuss SPF, DKIM and DMARC for inbound messages (i.e. the verification part) using the TrendMicro solution.
For inbound protection there’s not too much configuration to do, the only thing when using an online service is enabling the services.
In HEC Console select Inbound Protection and select Domain-based Authentication. Here you’ll find the options for SPF, DKIM and DMARC:
Select the Sender Policy Framework (SPF) option and in the SPF window check the enable SPF checkbox and when needed, check the Insert an X-header into email messages checkbox:
Continue reading TrendMicro Hosted Email Security: SPF DKIM and DMARC Part III
In my previous blog I showed you how I implemented Trend Micro Hosted Email Security (HES) in my Exchange 2010 environment. Interesting case, it’s an Exchange 2010 hybrid environment with mailboxes in on-premises Exchange 2010 as well as mailboxes in Exchange Online. Centralized mail transport is used, so mail to and from Office 365 always routes via HES and the on-premises Exchange 2010 servers to Exchange Online. In this blog I will focus on implementing SPF, DKIM and DMARC in Trend Micro Hosted Email Security.
SPF in itself is covered in more detail in a previous blog post “SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part I” which can be found here: https://jaapwesselius.com/2016/08/19/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-i/.
In this scenario, mail from the inframan.nl domain (including Office 365) is only routed via the Hosted Email Security environment so the SPF record is pretty simple:
v=spf1 include:spf.hes.trendmicro.com ~all
Set this TXT record in your public domain, start sending email and when checking the header information you’ll see your all good here:
DKIM is a little more work to configure and takes a bit more time. DKIM is covered more in detail in part II of a previous series “SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part II” which can be found here: https://jaapwesselius.com/2016/08/22/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-ii/
DKIM is about signing header information using a private key, and to decipher the signature you need a public key which is stored in public DNS, accessible for every mail server on the Internet. No need to worry about the configuration, HES will deliver all the details.
In the HES console select Outbound Protection and select DomainKeys Identified Mail (DKIM) Signing.
Continue reading TrendMicro Hosted Email Security: SPF DKIM and DMARC Part II
A couple of years ago I have been working with the TrendMicro Hosted Email Security (HES) solution and I was very satisfied with it. With the upcoming SPF, DKIM and DMARC awareness I was looking for online solutions that offer this kind of security measures and I found that HES now offers these solutions as well.
I have a hybrid Exchange environment with multi-role Exchange 2010 servers, Exchange 2010 Edge Transport servers and a hybrid configuration. There’s no dedicated Exchange 2016 server for this, the hybrid configuration just uses the existing Exchange 2010 servers. And this works well. There’s an additional namespace o365mail.inframan.nl, this is used solely for SMTP communication between Exchange Online and the on-premises Exchange 2010 servers (without the use of the Edge Transport servers). The configuration looks like this:
This a hybrid configuration with a centralized mailflow. All email is sent and received through the on-premises Exchange environment, including email from and to Office 365. So, email sent to the internet by users in Office 365 are sent first to the Exchange 2010 servers, and then via the Edge Transport servers to the Internet. This way you have full control over your Internet mail flow.
The Edge Transport servers don’t do a great job when it comes to message hygiene. You can configure Realtime Block Lists (RBL) like Spamhaus, configure content filtering using word lists and attachment filtering, but still (a lot of) spam ends-up in the user’s mailboxes. Therefore 3rd party solutions like Cisco Email Security Appliance (ESA, formerly known as IronPort) are used in front of on-premises Exchange solutions
Continue reading TrendMicro Hosted Email Security: SPF DKIM and DMARC Part I
Microsoft has implemented DKIM, DMARC and SPF in Exchange Online, the only thing you have to do is enable it. The only thing for DKIM you have to do is create two CNAME records in DNS and enable DKIM in the Exchange Admin Center.
DKIM CNAME records
The CNAME records you have to create for DKIM look like this:
Selector1 and selector 2 are the 2 selector tags (in Office 365 these will always be selector1 and selector2), the _domainkey is a default tag that will be added. Of course you have to replace the contoso.com with your own domain.
The CNAME records have to point to the following locations:
Continue reading DKIM in Office 365
In a previous blogpost, I already discussed DKIM signing with Exchange 2016: SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part II
Exchange out-of-the-box does support SPF checking, but DKIM signing/verifying and DMARC verifying are not supported. There are free 3rd party tools for DKIM Signing that can be found on GitHub, but at the moment of writing this tool only supports DKIM Signing, but does not support DKIM verifying. I have to admit that DKIM signing with this tool works very well.
I already explained earlier that I’ve installed and configured a Cisco Email Security Appliance (ESA, previously known as IronPort) appliance in my lab environment, and this is installed like this:
Figure 1. My testlab Exchange environment.
All outbound SMTP mail is via the ESA. The FQDN of the ESA is smtphost.exchangelabs.nl, of course it has a public IP address with a corresponding PTR record.
Continue reading Cisco Email Security Appliance and DKIM Signing