Hi Ingo,
I’m glad to hear that from a professional, and yes, it makes perfectly sense, thanks for your reply !

Hi Max,
No, this is not what I meant. Please don’t mix different scenarios.
If you want a company to send emails on your behalf and this company doesn’t support DKIM signing, you have multiple options:
1. add the company’s MTA to your SPF record
2. If SPF is not an option, you could provide a securely published SMTP service (yes, I highly prefer Postfix and have no issue publishing this service) with SMTP Auth.
This SMTP service would then be used INCOMING from this company. Once you receive these emails, you can route them OUTBOUND to external recipients in which way you want.
Ciao,
Ingo

@Ingo:
Did I get it right: You recommend a full blown SMTP solution like Postfix, hMailServer, Windows SMTP daemon etc – exposed to the Internet with official IP addresses – to send legitimate business email?

Limiting our thoughts to MS365 I think it is not possible that any tenant is able to send out emails with a domain that is registered in another tenant. If that’s true, the SPF record of your own domain can include the huge MS IP ranges (spf.protection.outlook.com) without anyone abusing your domain’s SPF record.

True or false?

Kind regards
Max

Hi Cyril,
You’re right. You should think about adding someone to your SPF record twice! However, there are scenarios where the sending infrastructure cannot sign messages, and DKIM is not an option. Then, you rely on SPF. I recommend using an in-house SMTP solution that supports SMTP Auth in such scenarios. With this, you can control what is sent and ensure it’s DKIM-signed.
Makes sense?
Ciao,
Ingo

“As it is stated IN the RCF for DMARC” *
“That’s why I NOW only” *
“(aLong with DKIM)” *

Sorry for the typos…

As it is stated is the RCF for DMARC, regardless of whether full or partial alignment of SPF and/or DKIM is required, only one of the two protocols needs to be verified for the email to be legitimized.

So let’s say you are allowing emailing provider company ABC to send emails as yourcompany.com. Therefore, you configure SPF and DKIM. If ABC has its email appliances hosted over Azure (or some other public cloud), sharing Azure’s IP addresses with other Azure customers, anybody else hosted in Azure could be allowed to send emails as yourcompany.com by this SPF record.
That’s also true for self-hosted emailing providers, we never truly know how they protect the use of other domains among their customers. Therefore, the DKIM key, usually linked only to one customer’s settings privately, seems to be more secure.

That’s why I know only configure SPF records for IP addresses I owe (among with DKIM), and in other cases I only configure DKIM records. Also, this has been advised to me by a company that was helping us troubleshoot our DMARC policy. I know both protocols should serve different purposes, but I have thought about this a lot, trust me, and it definitely seems more secure to me this way. Am I wrong here ?

Very useful tip regarding TABL and policies for whitelisting.

Dankeschön 😉

Hi Max,
I agree flexibility is limited. Even sharing the same IP addresses, there is a way of identifying single tenants (I read this for outgoing direction). Adding a false-positive on the allow list is possible. You can do this in multiple ways, e.g., TABL or threat policies. You can do this on the sender’s mail or IP address. It’s always a question if you really want this.
But my point in this article is more about the “low hanging fruits” for an admin. The topics you mentioned are related to MDO.
Makes sense?
Ciao,
Ingo

Hi Ingo,
thanks for your reply. I agree that every vendor has its advantages/disadvantages. Systems in front of EOP are limited to the mail routing chain, whereas EOP is better integrated.

On the other hand – due to million of M365 tenants sharing the same resources like IP addresses, AI intelligence – your freedom to configure your tenant’s settings according to your needs is limited e.g. being unable to really whitelist false-positive emails. Instead, submitting them is an unpredictable and tedious task.

Kind regards
Max.