This blog post is part of the Microsoft Intelligence Security Association (MISA) guest blog series. To learn more about MISA, visit the MISA webpage.

Not knowing who is sending email “from” your organization is an enormous problem for IT managers for two reasons.

One problem is “shadow IT”—cloud services that employees have signed up for without IT oversight. Many of these services send mail—to employees, customers, or marketing prospects—which appear to come from your organization, opening you to legal and security risks. Identifying these services and getting them under control is a critical step in any cloud migration project.

The second problem is phishing, which plays a role in over 90 percent of all cyberattacks. For phishers, there’s not a more valuable tool than the ability to impersonate senders. These scammers rely on the fact that there is little stopping them from spoofing any domain they like in the “from” field of their phishing messages.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an essential tool for solving both of these problems. When an organization gets its domains to a quarantine or reject policy—what’s known as DMARC enforcement—it gains complete visibility into and control over all email purporting to be from that organization. For more on DMARC policies and how they pertain to inbound mail, read the “Best practices on implementing DMARC in Office 365” section in the Microsoft article Using DMARC to validate email in Office 365.

Before a company can get to an enforcement policy, it needs to identify all the email senders using its domain. If this crucial and potentially challenging step is omitted, it may wind up inadvertently blocking legitimate email sources (like a payroll provider or your CRM tool), simply because it hasn’t specifically authorized them.

While the benefits of DMARC are clear, many organizations have had trouble with the implementation of this open standard. DMARC directs receiving mail servers to send aggregate reports back to domain owners, so they can analyze which services are sending mail on their behalf. This data is valuable for both cloud migration and anti-phishing projects.

But it can be difficult to extract actionable intelligence from these reports, which are typically large XML files containing long lists of IP addresses. Companies need to do extensive “detective work” to figure out which services correspond to those IPs and which people within their organization are responsible for using those services, which includes updating the corresponding DMARC, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records to ensure that the services are properly authorized. What’s more, every change requires updating the Domain Name System (DNS), which itself can be an involved process.

What if you don’t have the time and resources to allocate to this long-term, sometimes tedious technical analysis?

Valimail Monitor for Office 365 can make this part of the DMARC journey much easier. Instead of manually parsing the massive amount of XML-based IP address data you get in DMARC reports, Valimail Monitor for Office 365 digests DMARC aggregate reports and turns them into an easily readable list of named services. In addition, for each of these services, Valimail shows how many messages are passing authentication and how many are failing and provides overall stats on DMARC authentications and authentication failures. This greatly simplifies this critical stage of the DMARC journey.

The challenge is identification

Setting up a DMARC record isn’t difficult—it’s a simple txt record in DNS—and there are only three tags needed to configure a correct DMARC record. Once configured, the domain owner receives daily aggregate reports, via email, from virtually every mail receiver worldwide that gets mail from that domain.

The challenging part, as noted above, is using those DMARC aggregate reports to identify all those services that are sending email “as” the domain.

Here’s why it’s hard: In the era of cloud IT, it’s quite common for organizations to have dozens of third-party services sending email on their behalf. For example, an organization may have CRM, HR, support, payroll, and other workflow services that are core to its business. The one thing that ties all these services together is that they all rely on the company’s domain name to send email—notifications, invoices, receipts, and the like—which all need to come “from” the company. Their use of a domain name is a defacto standard that leverages the implicit trust employees, customers, and partners have when they do business with a company. (Watch a short one-minute video explaining why so many DMARC projects run into trouble.)

Before moving to a policy of enforcement, a company needs to have the confidence that it has correctly identified all these senders and white-listed them in its SPF configuration, and/or configured their DKIM keys correctly.

DMARC is incredibly useful to block phishing attacks and protect the brand, but many Office 365 customers who have implemented DMARC have not reached enforcement. They’ve manually parsed DMARC reports with self-help tools or consulting support. They’ve looked at millions of lines of XML to extract IP addresses which they then need to translate to named services. These services themselves may live on multi-tenant clouds, so discerning the true identity of a given service is further challenging because the underlying cloud infrastructure could be shared and may change without notice.

A fully automated, free service

Valimail Monitor for Office 365 makes the service-discovery component of DMARC implementation far easier, providing a fully automated visibility service, free of charge. With Valimail, Office 365 users can easily see all third-party services sending on their behalf, as well as potential imposters that are spoofing their brand. It eliminates the need to wade through XML-based aggregate reports or try to interpret which IP addresses correspond to which cloud services. Valimail Monitor for Office 365 provides a clean, clear, human-readable interface that lists services and their email volume on the domain in plain English.

With full visibility, Office 365 customers will be armed with all the information they need to determine which services are legitimate and authorized. From there, they’ll be in a position to confidently move their organization to full DMARC enforcement, where all unauthenticated traffic is blocked. Valimail makes this easy as well, with an upgrade path to Valimail Enforce, which fully automates DMARC enforcement.

As a member of the Microsoft Intelligent Security Association, Valimail provides a critical free service for Office 365 customers who want the benefits of DMARC enforcement. DMARC enforcement, together with the anti-spoofing and anti-phishing capabilities in Office 365, will effectively stop an entire class of phishing attacks.

Configuring Valimail Monitor for Office 365

Here’s how to get started with Valimail Monitor for Office 365:

Sign up at the Valimail Monitor for Office 365 website.

Note: This is a free service for Office 365 customers. Once you sign up, Valimail will email you the simple configuration instructions. Set aside five minutes to make the change in DNS to send your DMARC reports to Valimail (this has no impact on your email flow, deliverability, or any other aspect of your DNS).

Within two weeks, Valimail Monitor will provide you a list of senders using your domain, and it will keep the list updated in real-time as DMARC reports continue to flow in. It also shows you where in the world emails sent using your domain are coming from. Don’t have an office or server in Brazil? That might just be the red flag you need to shut down a phisher impersonating your brand.

Using the Valimail dashboard, you’ll have the intelligence you need to know who is sending email using your domain and from where, so you can focus your time and resources on more complex activities to protect your organization.

Sign up for free at: www.valimail.com/microsoft.