DMARK, DKIM and SPF – deep dive useful links (with focus on O365)

ReadAllAboutIT.jpg

Sometimes it is good enought to have a place where you got a reliable links where are all the information needed – as this blog purpose it to be my notepad also to let me remember thigs for a longer time, will place them here. Especially DKIM – it is broadly presented on the Internet, but I was not able to find a place where everything will be described from A to Z. So here is a portion of usefull links about mentioned mechanisms.

DMARC / DKIM / SPF

Microsoft docs describing these mechanisms and how they cooperate:

https://docs.microsoft.com/en-us/office365/securitycompliance/use-dmarc-to-validate-email

Here is a brilliant article tellin’ how these 3 cooperate.

http://no-one-uses-email-anymore.com/the-trinity-of-email-protection-lessons-learned-using-dmarc-dkim-and-spf-in-office-365/

DMARK

Nice graph showing message flow, good overview

https://dmarc.org/overview/

Great dmarc examples:

https://www.sonicwall.com/en-us/support/knowledge-base/170504796167071

DMARK record analyzer, you might also get some examples from there:

https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/

Here you got explanation and default values for all the switches, so eventually you know what to configure and what can be safely left as a default:

http://www.zytrax.com/books/dns/ch9/dmarc.html

DKIM

I was wondering if setting up DKIM will affect communication in case external party sends as ‘you’ without encrypted DKIM header – it will not and here is really a great explanation about how DKIM works, 5:40 moment has the exlanation what happens if DKIM verification wasn’t succesful.

 

 

But I had another question, what the hell are those freaking selectors and why we need 2 of them, well the answer was really easy – similar to the situation with certificates and S/MIME need to have old certificate to dencrypt old messages, here is similar situation, it is all about the moment of keys rotation and change (as Microsoft not only rotates the keys but can change them for us). Here is just wonderfull explanation:

https://blogs.msdn.microsoft.com/tzink/2015/10/30/how-office-365-does-automatic-dkim-key-rotation/

It explains also what administrator needs to do to enable DKIM for custom domain in exchange online. In short – you just need to enable it, and create dns records – but only CNAME’s to real DKIM records created and hosted by Microsoft. Above article explains why to do it and how to do it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s