How to create trusted Emails¶
You set up a business email. Awesome! However, your outgoing emails on ending up in your recipients spam box. We need to fix that.
In this article, I'm going to use Microsoft 365 as my email provider, but the process will be similar for any provider.
Creating Aliases to your primary domain¶
After creating a Microsoft account with your primary email address (i.e. my-name@my-domain.com), you probably want to create some aliases that you can receive email from and send email as.
Go to microsoft admin portal and go to Users -> Active users. Click on your user and you should see that you're on an Account tab. Click the Manage username and email link under the Aliases section.
You can now add aliases to your primary user, so maybe a help@my-domain.com or contact@my-domain.com. I would go ahead and add aliases for our dmarc reports that we'll get to later, so dmarc-reports@my-domain.com and dmarc-forensic@my-domain.com.
Adding another domain¶
We can have ONE microsoft account and yet send/receive emails from MULTIPLE domains. Click the Show all drop down in the side menu, then the Settings dropdown, and Domains. Here, you can simply add a new domain. Follow the steps to add the DNS records (this is automatic with Cloudflare). After you do this, you can add aliases from this domain to your main user. So I may want to add my-name@my-second-domain.com as an alias.
Sending email from Aliases¶
There is a setting in Microsoft 365 to enable sending email from Aliases, but honestly, I think it's easier to just do it in PowerShell. You'll need to run Powershell as an administrator.
Install the Exchange Online PowerShell Module
Then connect to Exchange Online
This will prompt you to sign in. You can just select that you want to sign into this app only, and use your new business email credentials.
You can check the status of sending emails as an Alias with
If it is False, then set it to true with
In Outlook, you have to manually enable the aliases you want to be able to to messages from. Click on the Settings gear icon on the top right, then go to the Mail -> Compose and reply menu. You'll then see the list of Addresses to send from. Check all the aliases you want to be able to send from. You should also check the Always show From, so you can also see who you are sending mail as.
Adding DKIM¶
DKIM stands for Domain Keys Identified Mail. Our email provider can digitally sign emails to prove that they are coming from the legitimate domain. This is done with a private-public key pair. Basically, microsoft can generate this key pair, sign our emails with the private key, and the public key can be published as a DNS record so that the receiving mail server can verify the DKIM signature.
For whatever reason, Microsoft 365 does not automatically do this for you. We need to go to the Microsoft Defender security portal and Policies & rules > Thread policies > Email authentication settings. Ths will be in the Email & collaboration drop down, then Policies & rules, then click on Threat policies, then Email authentication settings. Go to the DKIM tab.
You should see a list of your Domains, and they are likely "Disabled". Click on a domain, and you will see instructions for Publish CNAMEs. Create those two CNAME records in your DNS provider settings. Give it like 10+ minutes and then see if you can toggle the switch to enable DKIM. Awesome! Now your emails are being signed.
Adding DMARC¶
Dmarc stands for Domain-based Message Authentication Reporting & Conformance.
What we're going to do is create a TXT record in our DNS records with the host name _dmarc and value v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100
The rua provides aggregate reports, or summarized information about the authentication results.
The ruf provides forensic reports, or detailed information about individual failed emails.
From the microsoft page, https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure
Note
The DMARC Aggregate and DMARC Forensic reports give the numbers and sources of messages that pass and fail DMARC checks. You can see how much of your legitimate mail traffic is or isn't covered by DMARC, and troubleshoot any problems. You can also see how many fraudulent messages are being sent, and where they're sent from.
After some time, you can increase the DMARC policy to p=quarantine, and after more time, increase the policy to p=reject.
What to monitor¶
Look at your rua reports for authentication failures, especially from legitimate sources, identify the reasons for failures (e.g., SPF failures, DKIM failures, alignment issues).
After 3-4 weeks, if you are confident that most or all of your legitimate emails are passing authentication, you can increase p=none to p=quarantine.
SPF¶
When you creating your email address, the email provider should have already given you a DNS record for SPF or Sender Policy Framework.
Note
Sender Policy Framework (SPF) is a way for a domain to list all the servers they send emails from. Think of it like a publicly available employee directory that helps someone to confirm if an employee works for an organization.
SPF records list all the IP addresses of all the servers that are allowed to send emails from the domain, just as an employee directory lists the names of all employees for an organization. Mail servers that receive an email message can check it against the SPF record before passing it on to the recipient's inbox.