Adding DMARC support to Exchange

Spammers can sometimes forge the “From” address on mail messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Hexamail supports DMARC, which gives domain owners more control over what recipient domains do with spam emails from your domain. Hexamail software allows you to follow the DMARC.org standard and decide how recipient domains treat unauthenticated emails coming from your domain. You can publish a policy telling recipient domains and other participating email providers how to handle unauthenticated messages sent from your domain. By defining a policy, you can help combat phishing to protect users and your reputation.

Let’s break the guide into some easy steps:

To add DMARC support to Exchange 2k – Exchange 2013 you need to do the following:

  1. Download and install a Hexamail Gateway product like Hexamail Guard or Hexamail Nexus
  2. Enable the Secure module
  3. Configure an Outbound Send Connector in Exchange to send email out via the Hexamail SMTP gateway
  4. Configure your DMARC settings for your domain.

Setting up SPF

SPF is the Sender Policy Framework. This is one of the two mechanisms used by DMARC to help verify email from your domain.It is implemented just by creating a simple DNS record telling other domains which servers can legitimately send email with a From address containing your domain. You just need to know all the servers and other domains or mailservers that may need to send email using your domain email addresses.

Creating the SPF record for your domain

Creating the SPF record for your domain

 

Hexamail software (the spam blocker module) includes a wizard to help you create the SPF record you need to add through your DNS management console.

 

Setting up DKIM

DKIM is DomainKeys Identified Mail and involves signing your outbound email with a special signature in the header that guarantees the message was sent thru your server and has not been tampered with or modified since leaving your server. This is the second mechanisms used by DMARC to help verify email is genuinely from your domain. The system uses encryption keys to sign and verify the email. Your private key is generated on your server and signs all outbound email and the public key is published as a DNS record through your DNS management console to allow others to verify your signed email.

Managing DKIM keys for your domain

Managing DKIM keys for your domain

 

 

 

 

 

 

 

 

Hexamail software (the secure module) includes a management interface to let you simply generate and manage your signing keys. You can have multiple different signing keys with various different parameters. This lets you test a key or have keys that expire after a certain time or use specific keys for specific email subdomains or email addresses.

Generating a DKIM key for your domain

Generating a DKIM key for your domain

 

 

 

 

 

 

 

 

 

 

You need at least one key setup to start using DMARC. The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to access your public key for verifying your email.

Creating a DKIM ADSP record for your domain

Creating a DKIM ADSP record for your domain

ADSP is Author Domain Signing Practices. This has largely been replaced by DMARC now. The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to access your public key for verifying your email.

Setting up DMARC

Next you need to create a DMARC DNS record instructing other domains how to verify email from your domain and what to do with spoofed or fraudulent email

Creating a DNS record for DMARC

Creating a DNS record for DMARC

The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to perform DMARC processing on email from your domain.

Verifying your DMARC setup

Finally you should verify your DMARC setup. To do this send an email from your domain to one of the many DMARC verification services or to a gmail account. The verification services usually send a reply containing the DMARC, SPF and DKIM test results in details.

Unlock the Inbox can verify your DMARC setup if you send an email to this address mailtest@unlocktheinbox.com
Returnpath can verify your DMARC setup if you send an email to this address checkmyauth@auth.returnpath.net

There are also many other deployment tools and verification services listed here DMARC.org

Gmail will add an email header to all received email stating the authentication results for DMARC, SPF and DKIM. Just view the “original message” in the Gmail inbox and you can read all the headers.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s