Microsoft recommends email users adequately protect all domains associated with Office 365. If you are not securing your onmicrosoft.com domains, threat actors can easily exploit them in spoofing attacks. Lucky for you, if you are using an onmicrosoft.com subdomain, SPF should already be enabled for it. However, SPF alone cannot prevent spoofing attacks. You need DMARC for that! So let’s find out how you can implement DKIM and DMARC for your onmicrosoft.com domains to improve email security.
What is an onmicrosoft.com or MOERA Domain?
onmicrosoft.com domains are your Microsoft Online Email Routing Address domain, also known as MOERA for short. Your MOERA domain is formatted as <domain>.onmicrosoft.com and is a default address given to every Microsoft tenant during onboarding. It is typically assigned during the initial setup phase. When you sign up for Microsoft 365, you are required to provide a unique domain name. Microsoft then creates a domain in the format yourcompany.onmicrosoft.com.
MOERA addresses are used internally within Microsoft’s systems to route emails. For example, even if a user’s primary email address is [email protected], they might still have a MOERA address like [email protected] which is used behind the scenes.
Why is Authentication Important for All Domains?
Microsoft has been under the gun as a magnet for phishing attacks for years! In fact, in 2024, Microsoft was dubbed the most impersonated global brand followed by Google, by various security researchers and sources.
In an impersonation attack, a renowned brand is spoofed to send malicious fake emails from their domain. This means that attackers can spoof your onmicrosoft.com domain to send phishing emails to your clients, who may click on them and get scammed. You will suffer the consequences of this attack through negative feedback from clients, a break of trust, and a damaged reputation.
This is why it is imperative to secure all your domains! Here are some email authentication protocols you can use to achieve this:
- SPF: Sender Policy Framework (SPF) allows you to authorize your domain’s sending sources. By default, your onmicrosoft.com domain has SPF enabled. Hence, receiving servers will recognize this domain as an authentic email sender.
- DKIM: DomainKeys Identified Mail (DKIM) helps you append digital signatures to emails. These signatures are verified by the receiver during authentication. It helps establish whether an email has remained authentic and unchanged during transmission. You have to manually set this up for your onmicrosoft.com domain.
- DMARC: Domain-based Message Authentication Reporting and Conformance (DMARC) allows you to take policy-based actions against unauthorized emails. If your emails fail SPF and/or DKIM checks, you can take a stance! Use DMARC to reject, quarantine, or deliver your emails by enabling a DMARC policy.
Steps to Add DKIM for Your onmicrosoft.com Domain
To add DKIM for your onmicrosoft.com domain, follow the steps below:
1. Login to your Microsoft Defender portal
2. Go to Email & Collaboration > Policies and rules > Threat policies
3. Scroll down to the “Rules” section and click on Email Authentication Settings
4. Select the DKIM tab for your onmicrosoft.com domain and click to Enable it
5. Click on Rotate DKIM keys to add a second DKIM record with a different selector to your DNS records
It may take from a few minutes to an hour for the portal to activate DKIM for your domain. Once DNS propagation is done, Microsoft recommends adding a second selector for your DKIM configuration. This step provides additional security by allowing you to rotate your DKIM keys periodically.
Steps to Add DMARC for Your onmicrosoft.com Domain
1. Login to your Microsoft Office 365 admin center
2. Go to Settings > Domains and select your onmicrosoft.com domain
3. Once selected, click on DNS records > Add record
4. In the “ Add a custom DNS record “ popup box configure the following settings:
Type: TXT
TXT name: _dmarc
TXT value: v=DMARC1; p=reject;
TTL: 1 hour
When you choose your preferred DMARC policy (p=) we recommend you start with a DMARC policy of “none” that offers no protection but is useful for monitoring your domain. Then slowly transition to “quarantine” and finally “reject” to actively prevent cyber attacks.
Click on “Save” and wait for a few minutes to an hour to save changes to your record.
Steps to Verify your onmicrosoft.com DKIM and DMARC Setups
Once you have saved your DMARC and DKIM settings, you need to verify these settings in the admin center.
- In your Microsoft Office 365 admin center go to Settings > Domains and select your onmicrosoft.com domain
- Click on DNS records and scroll down to “Custom records”. Here you should be able to see your newly added DMARC record
- Scroll down to “ Additional Microsoft Office 365 records “ and in this section, you should be able to see the 2 new DKIM records configured for your domain
Once you spot these records, it means that you are all set up!
Final Words
Enabling DKIM and DMARC for your onmicrosoft.com domains is a crucial step toward enhancing your email security. It can help protect your brand’s reputation against spoofing and impersonation. By following the steps outlined by Microsoft as mentioned in our guide, you can enable the necessary protocols to secure your domain.
PowerDMARC simplifies this process by providing an intuitive platform that helps you implement and monitor these protocols effortlessly. With PowerDMARC, you get comprehensive insights and real-time alerts, ensuring that your domain remains secure and compliant. Take control of your email security today with PowerDMARC and enjoy peace of mind knowing your communications are protected. Start your free trial today!
- 5 Common DNS Vulnerabilities and How to Protect Your Network - December 24, 2024
- Introducing DNS Timeline and Security Score History - December 10, 2024
- PowerDMARC One-Click Auto DNS Publishing with Entri - December 10, 2024