Exchange security: Get your SPF, DMARC, and DKIM records in place

In the digital age we live in today, what is the biggest threat? My view: It is data being exposed on the Internet or stolen. Some think, “Oh, sending my company credit card details over an unencrypted email is harmless until it is intercepted and information stolen, along with my money.” Today, you cannot just set up an Exchange Server and hope that your system doesn’t get compromised or hijacked. Email is intercepted all the time by the “man in the middle.” What can you do to protect yourself? Well, nothing is foolproof. Some things get through the cracks even if the strongest of measures are in place. But you can lower the odds you will be successfully attacked by setting up and enabling SPF records, DMARC records, and DKIM records in your Exchange server.

We have all seen an increase in social engineering attacks, especially those targeting financial institutions or aimed at people who work there. Before we talk more about SPF, DMARC, and DKIM records, let’s dive into the risks every Exchange admin faces.

Spoofing: Think of email spoofing as someone sending a forged email looking like it came from you but if you analyze the headers you can see it has a different reply address. These happen daily and if they fool 100 people from 10,000-plus spoofed emails sent, then it’s a big win for the scammer. People are too quick to give information over email and that is where the security is lacking.


Spear-phishing: This is the one I have seen an upward trend in. An example of this is the accountant receives a mail from the “CEO” to process this payment and when the attachment is opened it infects the machine. Another example of this is an email sent that looks like it comes from an important person with the words “Urgent” in it. Too many people fall for this.

Phishing: Think of someone sending you an email to verify your details and you respond by sending personal information. Many people have fallen victim to this. Bank phishing emails are perhaps the most common of these scams.

All of these mechanisms are out to steal information and data and to get money out of the company or person.

Protect your Exchange Server with SPF, DMARC, and DKIM

SPF stands for “Sender Policy Framework.” SPF is there to detect forgery of the sending email address. Generally, you lock down SPF by allowing mail from a certain source, like if you are using a third-party filtering service, you only allow mail from their servers and nothing else directly.

To set up an SPF record, you simply need to create a DNS record for your domain and then tell it whether to soft fail or hard fail a message. In the beginning, SPF worked well on its own but as time progressed it wasn’t enough to stop the spam.

The next record to look at that works in conjunction with SPF is DMARC. DMARC stands for “Domain-based Message Authentication, Reporting & Conformance.” Wow, a bit of a mouthful, but what does DMARC do? DMARC along with SPF determines if the email is legitimate and then it decides what to do with the message. Think of SPF as a robot and DMARC as a policeman. A suspicious email may through the robot, but with checking it is blocked by the policeman because something is not correct.

spear-phishing email

DMARC, like SPF, is a DNS record that you create. It has a few tags and based on what you select to happen to messages will, for example, quarantine them.

Lastly, you can also look at DKIM, which stands for “Domain Keys Identified Mail.” DKIM is an authentication mechanism that allows the receiving party to check if the mail was sent and authorized by the owner of the domain.

DKIM is a bit more complex to set up, but please don’t see “complex” as a mountain too big to climb. To set up DKIM you need to generate a key and once you have created the (public) key you will create a TXT record in DNS. Lastly, you will then generate and save your DKIM signature, which will be applied to emails.

As you can see above, as an Exchange/mail admin, you have a bit of work to do if your domain does not have any mechanisms in place such as SPF, DMARC, and DKIM to prevent spoofing, spear-phishing, and phishing emails. Please note all the steps on which records to create here are high-level overviews. There are many tutorials out there on how to set these up, including this one we published here at TechGenix.

Yes, DMARC works


In a recent study, DMARC usage in an organization reduced spoofed emails drastically. If you are not sure how to go about setting up these records, chat with your ISP or reach out to companies that do filtering to assist you. The setup is pretty self-explanatory but maybe for new admins, it does not sound so simple.

Just remember, if your email account is hacked and they have your login details, they can pretty much send anything and it will look totally legit as it looks like the user is valid. Take care to secure your users’ usernames and passwords and remove those Post-it stickies affixed to the screen with all the login info on.

That is why it is imperative that if you are sending stuff like usernames and passwords or confidential company documents that you encrypt the mail even though you have the other mechanisms in place. As mentioned, you don’t want to leak the company credit card details or your own information over email.

Featured image: Shutterstock

About The Author

1 thought on “Exchange security: Get your SPF, DMARC, and DKIM records in place”

  1. I worked for a company that, as long as your domain was correct, you could send email through their server. It didn’t check if the mail was coming from.

    So, as long as the email domain was correct, it passed your email along. Lol.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top