Let's walk through setting up email in Office 365 :D If you haven't added a custom domain or signed up for a free M365 Developer account, check the QT thread To get started, let's sign into the M365 admin center (admin.microsoft.com) and sign into the DNS for your domain :)
A quick Azure AD thread on adding custom domains This is pretty straightforward, but there are still some fun notes along the way Again, I really want this to be accessible to folks who have never even had access to Azure before, so please go sign up!
Show this thread
1
10
3
49
While doing this setup through the M365 admin center is not required, it sure makes life easier if you don't know the DNS records off the top of your head So we go under Settings - Domains, and you should see something like the picture below Check your domain and continue setup
1
0
0
3
Now I'm going to warn you ahead of time, Microsoft has made some really dumb choices here... I know it's to make life easier on people, but, well, you'll see :( OK, so they tell you to add DNS records, and I'm going to hit Advanced Options and get the AAD/Intune records too
1
0
0
3
Let's copy these entries into our DNS. For me, that's Cloudflare. First up, mail exchange (MX) records. This informs other email servers where to send email for your domain. Microsoft only uses one, Gmail uses several. Lowest priority is tried first, same priority means DNS LB.
1
0
0
1
Next, Sender Policy Framework (SPF) record This is like an allow list for who should be sending email as your domain -/~/? at the end tells receiving servers what to do if the sender isn't in the record There is an old record type of SPF - do not use it. Make sure you use TXT.
1
0
0
2
Last note on SPF, + (allow) and ? (neutral) should never be used. You want to use - (hard fail) whenever possible. ~ (soft fail) opens you up to spoofing but is necessary if you need to clean up your SPF record. Next - autodiscover This helps mail clients find Outlook
1
0
0
3
The next couple of records are for Azure AD registration and Intune enrollment I will be doing some Intune labs / threads, so I'm going to add these as well You should now have 3 entries for email and 2 entries for devices registration if you decided to do those too :)
1
0
0
2
So now I go back to the M365 admin center, click next to verify the records, and... What the hell Microsoft?!? Look, I get you want to make things easier on people, but maybe ask how we want to do it So not cool ๐Ÿ˜ก

7:30 PM ยท Sep 18, 2021

1
0
0
2
Alright, so I hit back, and it takes me to this page which took me a minute longer than it should have to figure out what was going on First image = dumb Second image = should be default the first time you start the wizard.. Alright, select Add your own DNS records and continue
1
0
0
2
Cool, this is the same list of records, but they really want to make you work for it :-/ I click continue here which does successfully validate my records, and we are good to go! We should now be able to send/receive email! But we may have to wait a few minutes because DNS :P
1
0
0
1
So there are a couple of other important records that were missing from this wizard - DKIM and DMARC For DKIM, let's head over to the M365 Defender portal (security.microsoft.com), and go under Email & collaboration - Policies & rules - Threat policies - DKIM (under rules)
1
0
0
1
DomainKeys Identified Mail (DKIM) digitally signs headers on your outbound messages to prove they were not tampered with in transit By default, Microsoft signs email with the private key for your tenant.onmicrosoft.com because they can host the public key in their DNS
2
0
0
1
In my case, getsecurer.com is being signed by getsecurer.onmicrosoft.com - not aligned We want to fix that, so I click on my domain and click Create DKIM keys, then create the CNAME records as listed
1
0
0
2
While we wait for DNS, a couple cool things about DKIM :) With SPF, listserv, Google Groups, etc. fail because the email was relayed by unauthorized servers DKIM solves this because we can verify the signature. With SaaS apps, DKIM can guarantee the email came from your tenant!
1
0
0
3
Finally, we can slide the slider to on, and assuming we didn't have any copy/paste issues and DNS is feeling kind, we should see success! The last one is DMARC, but that can get complicated quickly and deserves its own thread I promise that is coming soon, and I'll link it here
2
0
0
5
DMARC thread tomorrow, but last note for this thread :) If we look at Authentication-Results, we now see "dkim=pass (signature was verified) header.d=getsecurer.com" Previously, it read "header.d=getsecurer.onmicrosoft.com" which doesn't align with the sending domain name
1
0
0
1