How to secure domains in Microsoft 365?
Securing domains in Microsoft 365 means verifying ownership, configuring DNS settings, enabling SPF, DKIM, and DMARC, and monitoring domain activity. These measures protect against email spoofing, phishing, and unauthorized use of company domains. Administrators can also use security reports and policies to maintain domain security on an ongoing basis.
Background and overview
Domains are central to a company’s email and online identity. Microsoft 365 provides tools and standards to ensure that domains are used correctly and protected from unauthorized actors.
Domain verification
To use a domain in Microsoft 365, the administrator must verify that the company owns it, usually through DNS records.
SPF (Sender Policy Framework)
The SPF defines which servers are allowed to send email for the domain, preventing unauthorized email traffic.
DKIM (DomainKeys Identified Mail)
DKIM signs emails with a cryptographic key, verifying that the message has not been altered and that it really comes from the sender.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC combines SPF and DKIM to protect against phishing and email spoofing and provides reports on failed authentications.
DNS configurations
The correct DNS records (MX, TXT, CNAME) ensure proper email management and domain security.
Monitoring and reporting
Administrators can monitor authentication reports and email flows to identify suspicious activity and improve protection.
Safety principles and training
Educating users and implementing policies around email security reduces the risk of the domain being exploited for phishing or malicious communications.
Steps to secure domains in Microsoft 365
- Domain verification: Confirm ownership through DNS records.
- SPF: Define authorized mail servers for the domain.
- DKIM: Sign emails to verify authenticity and integrity.
- DMARC: Combine SPF and DKIM and get reports on authentication.
- DNS configurations: Ensure correct MX, TXT and CNAME settings.
- Monitoring and training: Follow up reports and train users on safety practices.
Related questions
Why should you verify the domain in Microsoft 365?
To ensure that the company owns the domain and prevent unauthorized use.
What is SPF and why is it important?
The SPF specifies which servers are allowed to send emails for the domain and protects against spoofing.
How does DKIM work?
DKIM signs emails with a cryptographic key to verify that the message has not been altered and comes from the sender.
What does DMARC do?
DMARC combines SPF and DKIM to protect against phishing and provides reports on failed authentications.
Can administrators monitor domain security?
Yes, through authentication reports and email flow analysis, suspicious activity can be identified.
