{"id":43,"date":"2024-02-20T08:38:08","date_gmt":"2024-02-20T08:38:08","guid":{"rendered":"https:\/\/blogs.hyperstrato.com\/?p=43"},"modified":"2024-03-21T06:58:19","modified_gmt":"2024-03-21T06:58:19","slug":"office-365demystifying-spf-dkim-dmarc","status":"publish","type":"post","link":"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/","title":{"rendered":"Office 365Demystifying SPF\/DKIM\/DMARC"},"content":{"rendered":"\n<div class=\"wp-block-aioseo-table-of-contents\"><ol><li><a href=\"#aioseo-agenda\">Agenda<\/a><\/li><li><a href=\"#aioseo-phishing-and-spoofing\">What is email?<\/a><\/li><li><a href=\"#aioseo-phishing-and-spoofing\">What is Phishing?<\/a><\/li><li><a href=\"#aioseo-what-to-find-for-in-a-phishing-email\">What to find for in a Phishing Email?<\/a><\/li><li><a href=\"#aioseo-the-common-types-of-phishing-we-see-today\">The common types of phishing we see today<\/a><ol><li><a href=\"#aioseo-spoofing-your-exact-domain-in-the-from-address\">Spoofing your exact domain in the From: address<\/a><\/li><li><a href=\"#aioseo-lookalike-spoofing\">Lookalike spoofing<\/a><\/li><li><a href=\"#aioseo-display-from-attacks\">\u2018Display From\u2019 attacks<\/a><\/li><\/ol><\/li><li><a href=\"#aioseo-phishing-vs-spoofing\">Phishing vs Spoofing<\/a><\/li><li><a href=\"#aioseo-how-to-fight-them\">How to Fight them?<\/a><\/li><li><a href=\"#aioseo-what-is-spf\">What is SPF?<\/a><\/li><li><a href=\"#aioseo-how-does-spf-work\">How does SPF work?<\/a><\/li><li><a href=\"#aioseo-spf-and-mx-records-that-do-not-point-to-eop\">SPF and MX records that do not point to EOP<\/a><\/li><li><a href=\"#aioseo-spf-is-not-enough-what-else\">SPF is not enough&#8230; What else?<\/a><\/li><li><a href=\"#aioseo-what-is-dkim\">What is DKIM?<\/a><\/li><li><a href=\"#aioseo-how-to-enable-dkim\">How to enable DKIM<\/a><\/li><li><a href=\"#aioseo-how-does-dkim-work\">How does DKIM work?<\/a><\/li><li><a href=\"#aioseo-dmarc-doesnot-fail-when-being-forwarded-unlike-spf\">DMARC does not fail when being forwarded<\/a><\/li><li><a href=\"#aioseo-check-dkim-status-in-email-header\">Check DKIM status in Email Header<\/a><\/li><li><a href=\"#aioseo-composite-authentication\">Composite authentication<\/a><\/li><li><a href=\"#aioseo-different\">Different Authentication-Results bases on Scenario<\/a><\/li><li><a href=\"#aioseo-different-status-of-dkim-in-email-header\">Different Status of DKIM in Email Header<\/a><\/li><li><a href=\"#aioseo-logs-we-can-check-when-dkim-fails\">Logs we can check when DKIM Fails:<\/a><\/li><li><a href=\"#aioseo-what-is-dmarc\">What is DMARC?<\/a><\/li><li><a href=\"#aioseo-how-does-dmarc-work\">How Does DMARC Work<\/a><\/li><li><a href=\"#aioseo-dmarc-reporting-feedback-loop\">DMARC Reporting \u2013 Feedback loop<\/a><\/li><li><a href=\"#aioseo-dmarc-policy\">DMARC Policy<\/a><\/li><\/ol><\/div>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#Agenda\" >Agenda<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#What_is_email\" >What is email?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#What_is_Phishing\" >What is Phishing?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#What_to_find_for_in_a_Phishing_Email\" >What to find for in a Phishing Email?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#The_common_types_of_phishing_we_see_today\" >The common types of phishing we see today<\/a><ul class='ez-toc-list-level-6' ><li class='ez-toc-heading-level-6'><ul class='ez-toc-list-level-6' ><li class='ez-toc-heading-level-6'><ul class='ez-toc-list-level-6' ><li class='ez-toc-heading-level-6'><ul class='ez-toc-list-level-6' ><li class='ez-toc-heading-level-6'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#Spoofing_your_exact_domain_in_the_From_address\" >Spoofing your exact domain in the From: address<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-6'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#Lookalike_spoofing\" >Lookalike spoofing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-6'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#%E2%80%98Display_From_attacks\" >\u2018Display From\u2019 attacks<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#Phishing_vs_Spoofing\" >Phishing vs Spoofing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#How_to_Fight_them\" >How to Fight them?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#What_is_SPF\" >What is SPF?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#How_does_SPF_work\" >How does SPF work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#SPF_and_MX_records_that_do_not_point_to_EOP\" >SPF and MX records that do not point to EOP<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#SPF_is_not_enough%E2%80%A6_What_else\" >SPF is not enough&#8230; What else?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#What_is_DKIM\" >What is DKIM?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#How_to_enable_DKIM\" >How to enable DKIM<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#How_does_DKIM_work\" >How does DKIM work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#DMARC_does_not_fail_when_being_forwarded\" >DMARC does not fail when being forwarded<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#Check_DKIM_status_in_Email_Header\" >Check DKIM status in Email Header<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#Composite_authentication\" >Composite authentication<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#Different_Authentication-Results_bases_on_Scenario\" >Different Authentication-Results bases on Scenario<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#Different_Status_of_DKIM_in_Email_Header\" >Different Status of DKIM in Email Header<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#Logs_we_can_check_when_DKIM_Fails\" >Logs we can check when DKIM Fails:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#What_is_DMARC\" >What is DMARC?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#How_Does_DMARC_Work\" >How Does DMARC Work<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#DMARC_Reporting_%E2%80%93_Feedback_loop\" >DMARC Reporting \u2013 Feedback loop<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/blogs.hyperstrato.com\/index.php\/2024\/02\/20\/office-365demystifying-spf-dkim-dmarc\/#DMARC_Policy\" >DMARC Policy<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\" id=\"aioseo-agenda\"><span class=\"ez-toc-section\" id=\"Agenda\"><\/span>Agenda<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Phishing and Spoofing<\/li>\n\n\n\n<li>Fighting Phishing<\/li>\n\n\n\n<li>How to read a Message Header and a Message Trace<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-phishing-and-spoofing\"><span class=\"ez-toc-section\" id=\"What_is_email\"><\/span><strong>What is email?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>A method of exchanging digital messages from an author to one or more recipients<br>Email is defined by the following standards:<br><strong>RFC 5321 <\/strong>defines the host-to-host protocol (Envelope)<br><strong>RFC 5322 <\/strong>governs the content of messages (Header and Body)<br>The P1 header is used to <strong>route<\/strong> a message, and is not displayed as part of the message. It contains values in the MAIL FROM and RCPT TO commands of the SMTP connection<br><strong>MAIL FROM<\/strong>: <a href=\"mailto:alex.jung@contoso.com\">sender@contoso.com<\/a><br><strong>RCPT TO<\/strong>: <a href=\"mailto:cristian.nitu@fabrikam.com\">recipient@fabrikam.com<\/a><br>The P2 header is what you <strong>see<\/strong> when you open a message in your email client.<br><strong>FROM:<\/strong> <a href=\"mailto:alex.jung@contoso.com\">sender@contoso.com<\/a><br><strong>TO:<\/strong> <a href=\"mailto:cristian.nitu@fabrikam.com\">recipient@fabrikam.com<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-phishing-and-spoofing\"><span class=\"ez-toc-section\" id=\"What_is_Phishing\"><\/span><strong>What is Phishing?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>A targeted attack to corporate users to harvest Personal information or username and passwords<br>Evolution of Phish<br>If its Targeting Individual the motive is mostly financial<br>if the target is an organization then the motive is mostly Network compromise <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"743\" height=\"538\" src=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/phishingemail-2.png\" alt=\"\" class=\"wp-image-136\" srcset=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/phishingemail-2.png 743w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/phishingemail-2-300x217.png 300w\" sizes=\"(max-width: 743px) 100vw, 743px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-what-to-find-for-in-a-phishing-email\"><span class=\"ez-toc-section\" id=\"What_to_find_for_in_a_Phishing_Email\"><\/span>What to find for in a Phishing Email?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>A bank or financial institution.&nbsp; <\/strong>Phishes come from banks or online financial institutions like Paypal or eBay where money can change hands.<\/li>\n\n\n\n<li><strong>Your account has been compromised or is about to expire. <\/strong>In the sample above, the bank claims to have noticed that your account has had some suspicious activity.&nbsp; This plays on your fear that maybe someone did break into your account.&nbsp; After all, haven&#8217;t we heard stories that banks have been losing people&#8217;s personal information?<\/li>\n\n\n\n<li><strong>A threat.<\/strong>&nbsp; If you don&#8217;t fix this problem within a certain period of time, your account will disabled and then you&#8217;ll really be in trouble.<\/li>\n\n\n\n<li><strong>Don&#8217;t worry, click here to fix it.&nbsp; <\/strong>To remedy the problem &#8212; that your account will expire, or to lock down your account or change your password &#8212; follow the link in the message which will take you a web page to fix it.<\/li>\n\n\n\n<li><strong>A fake link.<\/strong> You&#8217;ll see a link in the message that appears to be from the bank (in the example, it&#8217;s supposedly a secure site going to woodgrove) but if you hover your mouse over it, the link actually points somewhere else.&nbsp; This is simply a trick using HTML coding.<\/li>\n\n\n\n<li><strong>Poor grammar.&nbsp; <\/strong>I&#8217;ve italicized this because it does not occur in every phishing message.&nbsp; However, if you get a message from a bank that contains lots of spelling mistakes and poor verb tenses (you know, the complete opposite of my blog), then you can be certain it didn&#8217;t come from the purported source.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-the-common-types-of-phishing-we-see-today\"><span class=\"ez-toc-section\" id=\"The_common_types_of_phishing_we_see_today\"><\/span>The common types of phishing we see today<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"aioseo-spoofing-your-exact-domain-in-the-from-address\"><span class=\"ez-toc-section\" id=\"Spoofing_your_exact_domain_in_the_From_address\"><\/span>Spoofing your exact domain in the From: address<span class=\"ez-toc-section-end\"><\/span><\/h6>\n\n\n\n<p>From: Mr William &lt;<a href=\"mailto:william@christopher.com\">william@christopher.com<\/a>&gt;<br>To: Mr Abhinav &lt;<a href=\"mailto:abhinav@christopher.com\">abhinav@christopher.com<\/a>&gt;<br><br>These attacks are really tricky. When you use Exchange and Outlook, and an email comes in that looks like it&#8217;s from someone in your Global Address Book, Outlook will show that person&#8217;s photo from Active Directory. This can trick you into thinking the email is real, even if it&#8217;s not.<br>This problem affects the whole industry. To fix it on your own, you can set up SPF, DKIM, and DMARC records for your domain. If you can&#8217;t do that, don&#8217;t worry. Exchange Online Protection (EOP) has an anti-spoofing feature that works even if you don&#8217;t have those records. It&#8217;s going to be turned on for everyone automatically, so your domain will be safe right from the start<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"aioseo-lookalike-spoofing\"><span class=\"ez-toc-section\" id=\"Lookalike_spoofing\"><\/span>Lookalike spoofing<span class=\"ez-toc-section-end\"><\/span><\/h6>\n\n\n\n<p>From: Mr William &lt;william@christ0pher&gt;<br>To: Mr Abhinav &lt;abhinav@christopher.com&gt;<br><br>Lately, there&#8217;s been a rise in a certain type of email attack, about 1 in every 10 spear phishing attempts. These attacks involve email domains that look correct at first glance because they use Numeric characters which replaces &#8220;o&#8221;. This means the fake domain has one or more letters that are different, but it&#8217;s hard to notice at first.<br>Scammers do this to bypass security measures like SPF, DKIM, and DMARC. They&#8217;re counting on the fact that a legitimate domain can&#8217;t possibly register every similar-looking domain. One downside for these scammers is that if you reply to their email, your response won&#8217;t go through unless they&#8217;ve set up a receiving email server for that fake domain. Moreover, if you&#8217;re using Exchange and Outlook, you won&#8217;t see a photo next to the email address because the fake domain won&#8217;t be in your Global Address Book. This gives away the scam because it lacks this extra layer of deception.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"aioseo-display-from-attacks\"><span class=\"ez-toc-section\" id=\"%E2%80%98Display_From_attacks\"><\/span>\u2018Display From\u2019 attacks<span class=\"ez-toc-section-end\"><\/span><\/h6>\n\n\n\n<p>From: Mr William &lt;william@gmail.com&gt;<br>To: Mr Abhinav &lt;abhinav@christopher.com&gt;<br><br>In this scam, the fraudster sends an email to the company&#8217;s CFO from a common free email service, like Gmail, Yahoo, or Outlook.com, pretending to be the CEO. The CFO might think the CEO is emailing from his personal account because he can&#8217;t access his work one, perhaps using a mobile phone.<br>These kinds of attacks work because it&#8217;s quite easy to make email accounts that look real. Scammers can find names from LinkedIn, then set up accounts with those names at free email services. These messages can even pass through security checks like SPF, DKIM, and DMARC, because they&#8217;re sent from trusted IPs. They use everyday language, which can trick people into thinking the email is genuine.<br>However, there&#8217;s a catch, much like the one mentioned earlier. If the company uses Exchange and Outlook, the CEO&#8217;s photo won&#8217;t show up in the email because the scammer&#8217;s email address isn&#8217;t in the Global Address Book. Also, the recipient is likely to see the full email address, which might not be recognized since it&#8217;s not in their address book, revealing that it&#8217;s not the actual CEO.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-phishing-vs-spoofing\"><span class=\"ez-toc-section\" id=\"Phishing_vs_Spoofing\"><\/span>Phishing vs Spoofing<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>Spoofing<\/strong> involves pretending to be someone else to deceive the person receiving the message into doing something they wouldn&#8217;t normally do.<\/p>\n\n\n\n<p><strong>Phishing<\/strong> attack is when the person sending the message attempts to deceive the recipient into revealing private information that leads to financial profit for the attacker.<\/p>\n\n\n\n<p>It&#8217;s important to understand the distinction: while phishing often involves impersonating a credible entity to gather information, spoofing doesn&#8217;t always aim to collect data. Sometimes, the goal of spoofing is just to manipulate the recipient into installing harmful software.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-how-to-fight-them\"><span class=\"ez-toc-section\" id=\"How_to_Fight_them\"><\/span>How to Fight them?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>There are three mechanism which can help us fight Spoofing.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SPF<\/li>\n\n\n\n<li>DKIM<\/li>\n\n\n\n<li>DMARC<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-what-is-spf\"><span class=\"ez-toc-section\" id=\"What_is_SPF\"><\/span>What is SPF?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u2022Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain&#8217;s administrators<\/p>\n\n\n\n<p>\u2022Sender Policy Framework is defined in RFC 7208<\/p>\n\n\n\n<p>\u2022The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record<\/p>\n\n\n\n<p>\u2022A receiving mail server performs an SPF check by confirming that the connecting IP address is in the SPF record for the 5321.MailFrom domain.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Ex. christopher.com TXT v=spf1 ip4:103.309.10.23 ip4:120.90.2.9 include:spf.protection.outlook.com include:sharepointonline.com -all<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-how-does-spf-work\"><span class=\"ez-toc-section\" id=\"How_does_SPF_work\"><\/span>How does SPF work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" width=\"1024\" height=\"548\" src=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SPFHWO-1024x548.png\" alt=\"\" class=\"wp-image-78\" style=\"width:700px;height:auto\" srcset=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SPFHWO-1024x548.png 1024w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SPFHWO-300x161.png 300w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SPFHWO-768x411.png 768w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SPFHWO-1536x822.png 1536w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SPFHWO-2048x1096.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-spf-and-mx-records-that-do-not-point-to-eop\"><span class=\"ez-toc-section\" id=\"SPF_and_MX_records_that_do_not_point_to_EOP\"><\/span>SPF and MX records that do not point to EOP<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u2022The advanced spam filtering (ASF) option SPF record: hard may generate lots of false positives for users who have the option enabled if the primary MX record doesn&#8217;t point to Exchange Online Protection (EOP)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" width=\"1024\" height=\"349\" src=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/IP12EOP-1024x349.png\" alt=\"\" class=\"wp-image-81\" style=\"width:708px;height:auto\" srcset=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/IP12EOP-1024x349.png 1024w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/IP12EOP-300x102.png 300w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/IP12EOP-768x262.png 768w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/IP12EOP-1536x524.png 1536w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/IP12EOP-2048x699.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>\u2022Within EOP, the SPF check is performed on IP address 2. (This is the on-premises mail server\u2019s relaying IP address.) However, the SPF check should have been performed on IP address 1. (This is the original connecting IP address.) Because EOP uses IP address 2 instead of IP address 1, any domain that publishes an SPF hard fail will fail SPF and will be marked incorrectly as spam. This occurs even if the domain would originally have passed SPF if the messages had been sent first through EOP and then to the on-premises mail server.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"738\" height=\"852\" src=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SPFhardfail.png\" alt=\"\" class=\"wp-image-84\" style=\"width:367px;height:auto\" srcset=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SPFhardfail.png 738w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SPFhardfail-260x300.png 260w\" sizes=\"(max-width: 738px) 100vw, 738px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-spf-is-not-enough-what-else\"><span class=\"ez-toc-section\" id=\"SPF_is_not_enough%E2%80%A6_What_else\"><\/span>SPF is not enough&#8230; What else?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<p><strong>Email forwarding breaks SPF check<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"675\" src=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/emailforward1-1024x675.png\" alt=\"\" class=\"wp-image-89\" style=\"width:411px;height:auto\" srcset=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/emailforward1-1024x675.png 1024w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/emailforward1-300x198.png 300w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/emailforward1-768x506.png 768w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/emailforward1-1536x1012.png 1536w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/emailforward1-2048x1350.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Problem: <\/strong>Forwarding email breaks SPF check. Weak SPF check on shared IP. The 5322.From address can be spoofed<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<p><strong>Weak SPF validation on shared IP<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"787\" src=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SharedIPSPF-1024x787.png\" alt=\"\" class=\"wp-image-90\" style=\"width:354px;height:auto\" srcset=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SharedIPSPF-1024x787.png 1024w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SharedIPSPF-300x231.png 300w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SharedIPSPF-768x591.png 768w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SharedIPSPF-1536x1181.png 1536w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/SharedIPSPF-2048x1575.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Solution:<\/strong> Authenticated digital signature \u2013 DKIM<br>Sender authentication &#8211; DMARC<\/p>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-what-is-dkim\"><span class=\"ez-toc-section\" id=\"What_is_DKIM\"><\/span>What is DKIM?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u2022DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain&#8217;s administrators.<\/p>\n\n\n\n<p>\u2022DKIM is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam.<\/p>\n\n\n\n<p>\u2022DKIM allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain which is done using cryptographic authentication.<\/p>\n\n\n\n<p>\u2022Verification is carried out using the signer&#8217;s public key published in the DNS<\/p>\n\n\n\n<p>\u2022The DKIM-Signature header field consists of a list of tag=value parts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>b = the actual digital signature of the contents (headers and body) of the mail message<\/li>\n\n\n\n<li>bh = the body hash<\/li>\n\n\n\n<li>d = the signing domain<\/li>\n\n\n\n<li>s = the selector<\/li>\n\n\n\n<li>h = the order of selected header fields that are hashed<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Ex. v=1; a=rsa-sha256; c=relaxed\/relaxed; d=christopher.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HLYdM5QF\/Xh6qSCBbxOV29tQIzSp+Tt42Ey6ncnY++8=; b=Ed+ltN\/9S3+JX+I6wIgvqqUZGRc\/eh+ECwQltwTJQQyYQtD2A0xDyeCsYQ5Es2W+RJz4\/6ZsD5CNqCHaDpw08DoZp6DY33JoDfVgVDYtbuErzUhi97A\/9CeaPi9nfFGUxDoEhj7TXE1ROJvWHQpQBLy8\/nCEYc5\/SNriK7uBNpg=<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-how-to-enable-dkim\"><span class=\"ez-toc-section\" id=\"How_to_enable_DKIM\"><\/span>How to enable DKIM<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>The first step would be to publish two CNAMEs in the public DNS in the following form:<\/strong><br>Host name: selector1._domainkey<br>Points to address or value: selector1-.domainkey.<br>TTL: 3600<\/p>\n\n\n\n<p>Host name: selector2._domainkey<br>Points to address or value: selector2-.domainkey.<br>TTL: 3600<\/p>\n\n\n\n<p>The usage of two CNAMEs is directly related to the key rotation performed in Office 365 every 365 days.<\/p>\n\n\n\n<p>The Customer has to perform this for each domain (that needs outbound signing) that you are hosting in Office 365.<\/p>\n\n\n\n<p>Next, the Customer has two options: PowerShell or GUI. From PowerShell we will have to enable the DKIM signing policy:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>New-DkimSigningConfig \u2013DomainName &lt;domainGUID&gt; \u2013Enabled $true<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-how-does-dkim-work\"><span class=\"ez-toc-section\" id=\"How_does_DKIM_work\"><\/span>How does DKIM work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>DKIM \u2013 Domain Key Identified Mail<\/strong><\/p>\n\n\n\n<p>Email content is signed using private key. The recipient decrypts using public key. Public key look up based on DNS of signing domain in the DKIM header<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"889\" src=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/HowDKIMWOrks-1024x889.png\" alt=\"\" class=\"wp-image-101\" style=\"width:461px;height:auto\" srcset=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/HowDKIMWOrks-1024x889.png 1024w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/HowDKIMWOrks-300x261.png 300w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/HowDKIMWOrks-768x667.png 768w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/HowDKIMWOrks-1536x1334.png 1536w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/HowDKIMWOrks-2048x1779.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-dmarc-doesnot-fail-when-being-forwarded-unlike-spf\"><span class=\"ez-toc-section\" id=\"DMARC_does_not_fail_when_being_forwarded\"><\/span>DMARC does not fail when being forwarded<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The advantage of DKIM is that it can survive being forwarded<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"282\" src=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DKIMFOrwardWIN-1024x282.png\" alt=\"\" class=\"wp-image-104\" style=\"width:606px;height:auto\" srcset=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DKIMFOrwardWIN-1024x282.png 1024w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DKIMFOrwardWIN-300x83.png 300w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DKIMFOrwardWIN-768x211.png 768w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DKIMFOrwardWIN-1536x423.png 1536w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DKIMFOrwardWIN-2048x563.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-check-dkim-status-in-email-header\"><span class=\"ez-toc-section\" id=\"Check_DKIM_status_in_Email_Header\"><\/span>Check DKIM status in Email Header<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>If the DKIM-signature ever fails to validate, it should be stamped in the header after the dkim=&lt;result&gt; value in parenthesis, and all in lower-case.  Below is an Example Header information that shows the status of DKIM.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>spf=pass (sender IP is 209.85.216.49) smtp.mailfrom=tripathi.com; dkim=pass (signature was verified) header.d=tripathi.com;dmarc=pass action=none header.from=aaddress.in;compauth=pass reason=100<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-composite-authentication\"><span class=\"ez-toc-section\" id=\"Composite_authentication\"><\/span>Composite authentication<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The results of Microsoft 365&#8217;s implicit authentication checks are combined and stored in a single value named&nbsp;<em>composite authentication<\/em>&nbsp;or&nbsp;<code>compauth<\/code>&nbsp;for short. The&nbsp;<code>compauth<\/code>&nbsp;value is stamped into the&nbsp;<strong>Authentication-Results<\/strong>&nbsp;header in the message headers. The&nbsp;<strong>Authentication-Results<\/strong>&nbsp;header uses the following syntax:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Authentication-Results:\n   compauth=&lt;fail | pass | softpass | none&gt; reason=&lt;yyy&gt;<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-different\"><span class=\"ez-toc-section\" id=\"Different_Authentication-Results_bases_on_Scenario\"><\/span>Different Authentication-Results bases on Scenario<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>Scenario<\/strong>: The Tripathi.com domain has no SPF, DKIM, or DMARC records<\/p>\n\n\n\n<p><strong>Result<\/strong>: Messages from senders in the fabrikam.com domain can fail composite authentication<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Authentication-Results: spf=none (sender IP is 10.2.3.4)\n  smtp.mailfrom=tripathi.com; christopher.com; dkim=none\n  (message not signed) header.d=none; contoso.com; dmarc=none\n  action=none header.from=tripathi.com; compauth=fail reason=001\nFrom: Abhinav@tripathi.com\nTo: william@christopher.com<\/code><\/pre>\n\n\n\n<p><strong>Scenario<\/strong>: The tripathi.com domain has an SPF record and no DKIM record. The domains in the MAIL FROM and From addresses match.<\/p>\n\n\n\n<p><strong>Result<\/strong>: The message can pass composite authentication, because the domain that passed SPF matches the domain in the From address<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Authentication-Results: spf=pass (sender IP is 10.2.3.4)\n  smtp.mailfrom=tripathi.com; christopher.com; dkim=none\n  (message not signed) header.d=none; christopher.com; dmarc=bestguesspass\n  action=none header.from=tripathi.com; compauth=pass reason=109\nFrom: abhinav@tripathi.com\nTo: william@christopher.com<\/code><\/pre>\n\n\n\n<p><strong>Scenario<\/strong>: The tripathi.com domain has a DKIM record without an SPF record. The domain that DKIM signed the message matches the domain in the From address.<\/p>\n\n\n\n<p><strong>Result<\/strong>: The message can pass composite authentication, because the domain in the DKIM signature matches the domain in the From address<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Authentication-Results: spf=none (sender IP is 10.2.3.4)\n  smtp.mailfrom=tripathi.com; christopher.com; dkim=pass\n  (signature was verified) header.d=outbound.tripathi.com;\n  contoso.com; dmarc=bestguesspass action=none\n  header.from=tripathi.com; compauth=pass reason=109\nFrom: abhinav@tripathi.com\nTo: william@christopher.com<\/code><\/pre>\n\n\n\n<p><strong>Scenario<\/strong>: The domain in the SPF record or the DKIM signature doesn&#8217;t match the domain in the From address.<\/p>\n\n\n\n<p><strong>Result<\/strong>: The message can fail composite authentication<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Authentication-Results: spf=none (sender IP is 192.168.1.8)\n  smtp.mailfrom=maliciousdomain.com; christopher.com; dkim=pass\n  (signature was verified) header.d=maliciousdomain.com;\n  contoso.com; dmarc=none action=none header.from=christopher.com;\n  compauth=fail reason=001\nFrom: william@christopher.com\nTo: Abhinav@tripathi.com<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-different-status-of-dkim-in-email-header\"><span class=\"ez-toc-section\" id=\"Different_Status_of_DKIM_in_Email_Header\"><\/span>Different Status of DKIM in Email Header<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Pass:<\/strong> DKIM validation passes<\/li>\n\n\n\n<li><strong>Fail<\/strong>: DKIM validation fails (message contains a DKIM header but validation fails)<\/li>\n\n\n\n<li><strong>Ignore<\/strong>: DKIM validation not performed because the public key is less than 1024 bits, or the DKIM-signature exists but the signature was not verified<\/li>\n\n\n\n<li><strong>Timeout<\/strong>: Message contains a DKIM header but DNS lookup times out<\/li>\n\n\n\n<li><strong>Error<\/strong>: Message contains a DKIM header but DNS lookup returns an error<\/li>\n\n\n\n<li><strong>None<\/strong>: Message does not contain a DKIM header. In this case, the header.d= should be none<\/li>\n<\/ul>\n\n\n\n<p><strong>There are several causes for the following two errors:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>body hash did not verify<\/li>\n\n\n\n<li>signature did not verify<\/li>\n<\/ul>\n\n\n\n<p><strong>Possible causes:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The message may have been modified (perhaps by a mailing list or forwarder) in transit;<\/li>\n\n\n\n<li>The signature or hash values may have been calculated or applied incorrectly by the signer;<\/li>\n\n\n\n<li>The wrong public key value may have been published in DNS; or<\/li>\n\n\n\n<li>The message may have been spoofed by an entity not in possession of the private key needed to calculate a correct signature.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-logs-we-can-check-when-dkim-fails\"><span class=\"ez-toc-section\" id=\"Logs_we_can_check_when_DKIM_Fails\"><\/span>Logs we can check when DKIM Fails:<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>We can run the following PowerShell command to check the status<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-DkimSigningConfig -Identity &lt;yourdomain.com&gt; | fl *publickey*, *cname*, status<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-what-is-dmarc\"><span class=\"ez-toc-section\" id=\"What_is_DMARC\"><\/span>What is DMARC?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email-validation system designed to detect and prevent email spoofing.<\/li>\n\n\n\n<li>It provides a mechanism which allows a receiving organization to check that incoming mail from a domain is authorized by that domain&#8217;s administrators and that the email (including attachments) has not been modified during transport.<\/li>\n\n\n\n<li>DMARC is intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations.<\/li>\n\n\n\n<li>DMARC is specified in RFC 7489<\/li>\n\n\n\n<li>DMARC policies are published by domain owners and applied by mail receivers to the messages that don&#8217;t pass the alignment test. The domain being queried is the author domain, that is the domain to the right of @ in the From: header field. The policy can be one of none the so-called monitor mode, quarantine to treat the message with suspicion according to the receiver capabilities, or reject to reject the message outright. Reject policy is fine for domains that don&#8217;t have individual human users, or for companies with firm staff policies that all mail goes through the company mail server, and employees don&#8217;t join mailing lists and the like using company addresses, or the company provides a separate less strictly managed domain for its staff mail. Strict policies will never be appropriate for public webmail systems where the users will use their mail addresses any way one can use a mail address.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-how-does-dmarc-work\"><span class=\"ez-toc-section\" id=\"How_Does_DMARC_Work\"><\/span>How Does DMARC Work<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>DMARC uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate the 5322.From address.<\/p>\n\n\n\n<p>DMARC will pass if an SPF or DKIM check passes and the domain in the 5321.MailFrom and 5322.From addresses match. This means that DMARC will always fail if the domain of the <strong>5321.MailFrom<\/strong> does <strong>not match <\/strong>the domain of the <strong>5322.From<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"500\" src=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/Add-a-little-bit-of-body-text.png\" alt=\"\" class=\"wp-image-116\" style=\"width:680px;height:auto\" srcset=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/Add-a-little-bit-of-body-text.png 1000w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/Add-a-little-bit-of-body-text-300x150.png 300w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/Add-a-little-bit-of-body-text-768x384.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-dmarc-reporting-feedback-loop\"><span class=\"ez-toc-section\" id=\"DMARC_Reporting_%E2%80%93_Feedback_loop\"><\/span>DMARC Reporting \u2013 Feedback loop<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The 5322.From and the domain that is authenticated (using either SPF or DKIM) must be the aligned&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"664\" src=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DMARCReportNotification-1024x664.png\" alt=\"\" class=\"wp-image-118\" style=\"width:564px;height:auto\" srcset=\"https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DMARCReportNotification-1024x664.png 1024w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DMARCReportNotification-300x194.png 300w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DMARCReportNotification-768x498.png 768w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DMARCReportNotification-1536x996.png 1536w, https:\/\/blogs.hyperstrato.com\/wp-content\/uploads\/2024\/02\/DMARCReportNotification.png 1987w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-dmarc-policy\"><span class=\"ez-toc-section\" id=\"DMARC_Policy\"><\/span>DMARC Policy<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A DMARC policy allows a sender to indicate that their emails are protected by SPF and\/or DKIM, and tells a receiver what to do if neither of those authentication methods passes, such as quarantine or reject the message. DMARC removes guesswork from the receiver\u2019s handling of these failed messages, limiting or eliminating the user\u2019s exposure to potentially fraudulent and harmful messages.<\/li>\n\n\n\n<li>Another great feature of DMARC is that it also provides a way for the email receiver to report back to the sender about messages that pass or fail DMARC evaluation. To ensure the sender trusts this process and knows the impact of publishing a policy different than p=none (monitor mode), the receiver sends daily aggregate reports indicating to the sender how many emails have been received and if these emails passed SPF and\/or DKIM and if they were aligned. This greatly helps organizations deploying SPF and DKIM as they can slowly deploy these features and monitor them without first blocking or rejecting any emails.<\/li>\n\n\n\n<li>DMARC policies are published using DNS TXT resource records and announce what an email receiver should do with non-aligned mail it receives. Because the specification is available with no licensing or similar restriction, any interested party is free to implement it.<\/li>\n<\/ul>\n\n\n\n<p>Below is an example of DMARC Record which is a TXT in office 365<\/p>\n\n\n\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-ad2f72ca wp-block-group-is-layout-flex\">\n<pre class=\"wp-block-code\"><code>_dmarc.christopher.com<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>v=DMARC1; p=quarantine; rua=mailto:dmarkreport@christopher.com; ruf=mailto:dmarkreport@christopher.com; adkim=r; aspf=r; pct=20; rf=afrf; sp=quarantine<\/code><\/pre>\n<\/div>\n\n\n\n<p>Lets Understand What each values in the above TXT record means:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>TAG NAME<\/td><td>Purpose<\/td><td>Example<\/td><\/tr><tr><td>V<\/td><td>Protocol Version<\/td><td>v=DMARC1<\/td><\/tr><tr><td>pct<\/td><td>Percentage of message subjected to filtering<\/td><td>pct=20<\/td><\/tr><tr><td>ruf<\/td><td>Reporting URI for forensic report<\/td><td>ruf=mailto:dmarkreport@christopher.com<\/td><\/tr><tr><td>rua<\/td><td>Reporting URI of Aggregate report<\/td><td>rua=mailto:dmarkreport@christopher.com<\/td><\/tr><tr><td>P<\/td><td>Policy for organization domain<\/td><td>p=quarantine<\/td><\/tr><tr><td>sp<\/td><td>Policy of the same subdomain<\/td><td>sp=quarantine<\/td><\/tr><tr><td>adkim<\/td><td>Alignment mode for DKIM<\/td><td>adkim=r (Relaxed) or S=Strict<\/td><\/tr><tr><td>aspf<\/td><td>Allignment mode of SPF<\/td><td>aspf=r (Relaxed) or S=Strict<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Agenda What is email? A method of exchanging digital messages from an author to one or more recipientsEmail is defined by the following standards:RFC 5321 defines the host-to-host protocol (Envelope)RFC 5322 governs the content of messages (Header and Body)The P1 header is used to route a message, and is not displayed as part of the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":152,"comment_status":"open","ping_status":"open","sticky":false,"template":"elementor_theme","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[5,9,6],"tags":[],"class_list":["post-43","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exchange-online","category-how-it-works","category-office-365"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blogs.hyperstrato.com\/index.php\/wp-json\/wp\/v2\/posts\/43","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.hyperstrato.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.hyperstrato.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.hyperstrato.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.hyperstrato.com\/index.php\/wp-json\/wp\/v2\/comments?post=43"}],"version-history":[{"count":52,"href":"https:\/\/blogs.hyperstrato.com\/index.php\/wp-json\/wp\/v2\/posts\/43\/revisions"}],"predecessor-version":[{"id":153,"href":"https:\/\/blogs.hyperstrato.com\/index.php\/wp-json\/wp\/v2\/posts\/43\/revisions\/153"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.hyperstrato.com\/index.php\/wp-json\/wp\/v2\/media\/152"}],"wp:attachment":[{"href":"https:\/\/blogs.hyperstrato.com\/index.php\/wp-json\/wp\/v2\/media?parent=43"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.hyperstrato.com\/index.php\/wp-json\/wp\/v2\/categories?post=43"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.hyperstrato.com\/index.php\/wp-json\/wp\/v2\/tags?post=43"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}