Most hosted email providers offer the option to include DKIM information in your message headers and guide you on creating the necessary DNS record. However, on-premises Exchange lacks this functionality. Fortunately, we’ve worked with an open-source application that easily enables DKIM for Exchange. You can find more about it here, and we can help with configuration and updating your DNS.
When it comes to the DMARC record, it allows you to instruct spam filters on how to handle SPF and/or DKIM failures. For instance, if you haven’t configured DKIM but your email provider adds DKIM to your messages, this discrepancy might lead to undelivered messages. In the DMARC record, you can specify that messages failing SPF are considered spam, and you can choose to ignore cases where DKIM is not in alignment. Additionally, you can request the spam filter to notify you of these failures. This feature proves invaluable in identifying potential attempts to spoof your email domain.
These messages are in XML format, so it’s best to use a third-party tool to organize the data into a more readable format. The beauty of DMARC lies in its ability to alert you when emails attempt to impersonate your domain or are sent from domains closely resembling yours (ex. “compamy.com” with a typo). This alert can help you take corrective actions before any potential harm is caused, especially in cases where scammers may request clients to send sensitive information like bank records.
In a previous post, I suggested that if you own additional domains that don’t typically send emails, you can create SPF and DMARC records clearly stating that these domains do not send emails. Here are some examples for your reference.
Notice the DMARC record is _dmarc.
SPF record: v=spf1 -all
_dmarc record: v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s
You can verify your records by querying DNS:
Resolve-DnsName company.com -Type txt ( the SPF record begins with “v-spf1” )
Resolve-DnsName _dmarc.company.com -Type txt
Setting up SPF, DKIM, and DMARC records is generally manageable, but in some instances, it can become very complex. Since our emphasis is on security rather than the technicalities of DNS, I suggest reaching out to us to ensure proper configuration. If you’re looking to learn more about these authentication methods, a good starting point is this resource: Microsoft Exchange Team Blog – Authenticate Outbound Email. It provides valuable insights into improving email deliverability through authentication.