Office 365 + DMARC: Best Practices for Protecting Your Company & Customers From Phishing Attacks

Gartner includes DMARC, or known by its full name as Domain-based Message Authentication, Reporting & Conformance, in its list of top 10 security projects for 2021. With very few exceptions, the best way for organizations to prevent getting impersonated in email attacks is to integrate DMARC into their Office 365-based email ecosystems.

To understand why, let’s consider the benefits of deploying DMARC within Office 365 environments, and tips for success when deploying DMARC for your organization.

Outbound Email: Why O365 is Better with DMARC

Fraudulent emails appearing to come from a legitimate, trusted source lead to nearly $7.5 billion in business losses worldwide each month. When these scams lead to a data breach, the cost to US businesses now averages $3.86 million per incident, according to Ponemon Institute.

DMARC is designed to prevent that. DMARC is an email authentication standard that works as a policy layer for Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to help email receiving systems recognize when an email hasn’t been authorized by the company owning the From: header domain. DMARC provides instructions to email receiving systems on how to safely dispose of these unauthorized messages.

Its most aggressive enforcement policy is reject (p=reject), which means that email messages that do not pass DMARC authentication will be blocked from ever reaching their intended recipients. Less rigid policy settings include quarantine (p=quarantine), which places those emails in the spam folder, and monitor only (p=none), which helps organizations monitor how their domain is being spoofed, but does not protect the recipients of those emails.

DMARC is already part of the robust security controls built into O365, so you have ample protection against most inbound phishing and spam attacks. In fact, you don’t have to do anything to implement DMARC for email that you receive within Office 365. What’s more, if you don’t use a custom domain for outbound email, and instead use the standard onmicrosoft.com subdomain, you don’t need to do anything else to configure or implement DMARC on your Office 365 tenant.

However, if you have configured your Office 365 tenant to use a custom domain (ex: yourcompany.com), or if you use any third parties to send some of your email, such as SendGrid, MailChimp, Salesforce, Marketo, or others, you’ll want to implement DMARC yourself. But how do you get started on DMARC in your Office 365 environment? Let’s take a look at some good practices, some better practices, and the best thing you can do to get the most out of your DMARC deployment.

Good: Employ Best Practices When Deploying DMARC for Office 365

We recommend using a phased deployment when implementing DMARC. This is especially true for large companies implementing DMARC across a large number of domains spanning divisions, departments, and third-party senders. Doing so helps ensure that you don’t impact the rest of your email flow.

Agari recommends a multi-step plan for DMARC implementation. Execution for each step should start with a single subdomain, then proceed to other subdomains, and finally finish with the top-level domain in the organization, before moving to the next step. Best practices for implementing DMARC include:

• Monitor the impact first. For large organizations setting up DMARC on numerous domains, we advise starting with a simple monitoring-mode record. A monitoring-mode record is a DMARC TXT record that has its policy set to p=none. Many companies publish a DMARC TXT record with p=none because they are unsure about how much email they may lose by publishing a more restrictive DMARC policy, and this allows them to monitor the impact before making changes.
• Include SPF and DKIM in your plans. Remember that you won’t be able to safely quarantine or reject mail with DMARC unless you implement SPF and DKIM on all legitimate sources of email. Your DMARC reports will show you all of the hosts sending email for your domain. Once you have successfully implemented SPF and DKIM on the legitimate mail sources, the fraudulent messages will be quite obvious because they will fail DMARC and will originate from servers that don’t belong to you or any of your authorized senders.
• Request that external mail systems quarantine mail that fails DMARC. When you believe that most of your legitimate traffic is protected by SPF and DKIM, and you understand the impact of implementing DMARC, you can implement a quarantine policy. By doing this, you are asking DMARC receivers to put messages from your domain that fail DMARC into the local equivalent of a spam folder instead of your customers’ inboxes.
• Request that external mail systems not accept messages that fail DMARC. When you feel confident that your legitimate mail is fully authenticated, the final step is implementing a reject policy. When you do this, you’re asking DMARC receivers not to accept messages that fail the DMARC checks. This is the final and most effective way to secure your domain, as it prevents any illegitimate emails from reaching your end users.

When implementing DMARC for multiple domains, it’s important to remember that DMARC records are hierarchical. This can be useful, as you may be able to specify a smaller number of high-level DMARC records for wider coverage. However, care should be taken to configure explicit subdomain DMARC records where you do not want the subdomains to inherit the top-level domain’s DMARC record.

Better: Use the DMARC Solution Microsoft Trusts

While deploying DMARC on a single domain is relatively simple, a large scale implementation is fraught with complexity.

That’s why you might want to consider a solution like Agari Brand Protection, which simplifies the challenges associated with implementing DMARC in Office 365-based email environments and has been shown to drive spoofed messages from your domain to near zero levels almost instantly. The founder and CEO of Agari is one of the authors of the DMARC standard, and Agari pioneered DMARC deployments for the enterprise. Today, we manage 230,000 domains for DMARC—driving scale and efficiency in implementations for our customers.

In fact, more than 40% of the Global 2000 rely on our solutions and know-how to reach maximum DMARC enforcement efficiently, and Microsoft itself has selected Agari to protect its own iconic brand. When selecting a DMARC solution to protect your outbound Office 365 email, what could be better than the product Microsoft trusts to protect a brand estimated to be worth $163 billion?

Best: Deploy Azure Sentinel and Microsoft Graph Security API with Agari

As fraud actors continue to refine evasion and obfuscation techniques, enterprises can no longer depend on siloed and fragmented point products to effectively protect their employees, customers, suppliers, and partners. Azure Sentinel, the world’s first cloud-native SIEM/SOAR/UEBA platform from a major cloud service provider, is at the forefront of a secular trend of consolidation and integration in the cybersecurity stack.

DMARC is not an island, but rather a critical component of an integrated security strategy. Agari Brand Protection, along with two other solutions from Agari, integrates seamlessly with Azure Sentinel to share threat intelligence. Agari Phishing Defense is a highly specialized, complementary solution to Defender for Office 365 (previously ATP) that uses ML/AI techniques to detect and remediate sophisticated identity-based threats such as spear phishing, business email compromise (BEC), vendor email compromise (VEC) and account takeover-based attacks. Agari Phishing Response is a turnkey solution that automates the process of phishing response, remediation, and breach containment.

And the recently launched Agari Data Connector for Sentinel allows customers to ingest logs from Agari Brand Protection and Agari Phishing Defense to detect, correlate, and remediate threats more effectively. With this data connector, Agari becomes the only email security vendor to share threat intelligence with Azure Sentinel.

The data connector comes with sample queries that inform the creation of additional Azure Sentinel analytics, workbooks, and workflows around insights such as attack types, policy hits, and most attacked users. In addition, customers using the federated model of Microsoft Graph Security API can benefit from investigation IOCs shared by Agari Phishing Response and malicious domains or URLs reported by Agari Brand Protection in their quest to triage and isolate threats more effectively.

In summary, an integrated security architecture that encompasses Agari solutions with Defender for Office 365, Azure Sentinel, and Graph Security API allows organizations to leverage the rich visibility from email security as the first line of defense to reduce attack surface, strengthen core defenses, and enhance overall security posture.

Want to learn more about how Agari works with Office 365? Get a look at how the solution can work for you with a free demo from our team.