This blog post explains the role and benefits of ARC sealing. ARC (Authenticated Received Chain) is an email authentication protocol that preserves the authentication results of an email as it travels through multiple intermediaries, such as forwarding services. This allows your recipients to accept the ARC Seal from your relaying or intermediate server. Using ARC helps organizations handle the complexities of email authentication, especially when emails are forwarded. ARC involves multiple servers working together based on mutual trust. In this blog post, we will explore the basics of ARC, how it works, and the benefits it provides. ...

Improve email security in Microsoft 365: Fine-tuning DKIM, configuring DMARC for the MOERA domain, and blocking inbound DMARC failures from reaching user inboxes. Fine-tune DKIM by frequently rotating the DKIM keys After setting up DKIM in Microsoft Defender for Office 365, it is also important to set up frequent rotation of these DKIM keys to prevent adversaries from intercepting and decrypting your cryptographic keys. Key rotation helps to minimize the risk of compromising the private keys. In Microsoft 365, you can rotate the DKIM keys for your domains to increase security. The recurrence must be every 3 months because rotating the DKIM keys every 3 months ensures a complete rotation of both selectors every 6 months. You can rotate the DKIM keys manually using the Defender portal or Exchange Online PowerShell, but it is easy to forget if you do it manually. So you should delegate this to Azure Automation by using the runbook below: ...

Unlocking the Power of S/MIME (Secure/Multipurpose Internet Mail Extensions): This article will help you understand S/MIME and how to request, configure, and use S/MIME on your devices. What is S/MIME? In today’s digital landscape, the security of sensitive information transmitted via email is critical. One method of safeguarding email communications is through the use of S/MIME, which is a widely adopted protocol that provides end-to-end encryption and digital signatures. S/MIME vs. Outbound email authentication In addition to DMARC-compliant email, which validates the sending source through SPF and DKIM checks, S/MIME provides cryptographic proof of the sender’s identity by digitally signing the message with a personal certificate, whose private key exists only on the sender’s device. In practice, when DMARC-compliant email is used to deliver malicious content, it often indicates that the sender’s mailbox has been compromised, allowing an attacker to send messages that still pass DMARC checks. However, if the compromised mailbox normally signs messages with S/MIME and the malicious message lacks this signature, the recipient may recognize this inconsistency as a red flag and choose to ignore the message. Additionally, S/MIME can be used to encrypt email content, helping protect messages from being read or modified in transit. It’s important to note that outbound email authentication techniques, such as SPF, DKIM, and DMARC, are unrelated to signing or encrypting a message, they validate the sending source, not the message content or its confidentiality. ...

With Microsoft Defender for Office 365, you can create an attack simulation training to identify vulnerable users and mitigate potential threats before they impact your organization. Think before you click Understanding the intricacies of cybersecurity is crucial in today’s digital landscape. Attack simulation training is indispensable for users as it provides hands-on experience in recognizing and defending against potential threats. This proactive approach empowers individuals to enhance their security awareness, identify vulnerabilities, and contribute to a more resilient organizational defense against cyber attacks. ...

In this post, you find out how DNSSEC and DANE cooperate, and learn how to set up DANE TLSA DNS records. DNSSEC (DNS Security Extensions) The domain name system (DNS) is the phone book of the Internet: it tells computers where to send and retrieve information. Unfortunately, it also accepts any address given to it, no questions asked. DNSSEC adds a security layer to this phonebook. It uses digital signatures to make sure the information in the phonebook can be trusted and hasn’t been tampered with. It’s like putting a lock on the phonebook to prevent DNS spoofing. ...

Safe Links scans URLs in incoming messages and checks the links for malicious content at the time they are clicked. What you can manage with a Safe Links policy With a Safe Links policy, administrators can configure and manage this policy to protect users from clicking harmful links and being redirected to malicious websites. Safe Links provides URL scanning for links in email messages, Microsoft Teams, and supported Office 365 applications. You can create custom Safe Links policies that apply to specific users, groups, or domains. ...

Malware is specifically designed to harm or exploit devices, networks, or users. It includes various types of harmful software such as viruses, worms, trojan horses, ransomware, spyware, and adware. Malware can be distributed through email attachments, infected websites, malicious downloads, or other deceptive means. What you can manage with an Anti-malware policy Mailboxes in Exchange Online benefit from automatic protection against malware through Exchange Online Protection (EOP). EOP offers a multi-layered malware protection system designed to detect all known malware. ...

Phishing is an email attack that aims to steal sensitive information through messages that appear to be from legitimate or trusted senders. You can enhance the security of your Exchange Online mailboxes by implementing anti-phishing policies. What you can manage with Anti-phishing policies Anti-phishing policies provide enhanced control over incoming phishing emails, for instance, in cases where someone may attempt to impersonate your CEO or send messages from a domain that closely resembles yours. By default, a policy named ‘Office365 AntiPhish Default (Default)’ is automatically applied to all users. ...

All inbound e-mail is automatically protected from spam by Exchange Online Protection (EOP) for Microsoft 365 organizations with mailboxes in Exchange Online. EOP uses anti-spam policies as part of your organization’s overall spam defense. What you can manage with Anti-spam policies Anti-spam policies provide you with control over both inbound and outbound email in Exchange Online. Within the Microsoft Security Portal, you can access the Anti-Spam Policy section, where three default policies are available for editing. Additionally, it is possible to create custom policies, and further details on this will be discussed later in this post. ...

In this post, I will share my best practices for getting a handle on your SPF record. Why it makes sense to have a good SPF procedure in place In a previous blog post, I explained the limitations of SPF and how it works with DKIM and DMARC. It’s crucial to have a well-structured SPF procedure to avoid future problems, especially since exceeding the DNS lookup limit of 10 can cause issues, such as: ...