Month: October 2012

Managing Exchange Online Sender Protection Framework Records (SPF)

Posted on Updated on

As an Exchange Online administrator you may know that you are only able to create 2 or so SPF include entries for your customer domain.  Creating any more and you may find that receiving mail servers doing SPF security record checks fail to accept the incoming mail.  This is due to the total number of include: entries being more than 10.  The SPF RFC states that a maximum of 10 SPF include entries are supported and after that Mail Servers are unable to process these entries, therefore not able to accept the message.

Background

Microsoft’s Exchange Online Services, through the Outlook.com namespace, already has 8 SPF include entries and these + the include entries in the customer domain’s SPF file are combined to process incoming mail messages.  When the amount of include entries are greater than 10, the Mail server will not accept the mail.

Outlook.com SPF Record Entries

Prefix Type Value Description
+ include spf-a.outlook.com The specified domain is searched for an ‘allow’.
+ include spf-b.outlook.com The specified domain is searched for an ‘allow’.
+ ip4 157.55.9.128/25 Match if IP is in the given range
+ include spfd.outlook.com The specified domain is searched for an ‘allow’.
+ include spfe.outlook.com The specified domain is searched for an ‘allow’.
+ include spff.outlook.com The specified domain is searched for an ‘allow’.
+ include spf-a.hotmail.com The specified domain is searched for an ‘allow’.
+ include _spf-ssg-b.microsoft.com The specified domain is searched for an ‘allow’.
+ include _spf-ssg-c.microsoft.com The specified domain is searched for an ‘allow’.
~ all Always matches. It goes at the end of your record.

Resolution

Designate a subzone like marketing.contoso.com for any mailing services you may need, then split the SPF records this way.  Contoso will have 9 include records total between Outlook.com and contoso.com, which is under the 10 entry limit and recipient mail servers will accept the mail, if being sent by one of the entries listed in the SPF record(s).

  • contoso.com
    “v=spf1 ip4:69.212.255.130 include:outlook.com –all”
  • marketing.contoso.com
    “v=spf1 include:FQDN include:FQDN –all”

Mail that comes directly from Exchange Online uses @contoso.com, while mail that comes from their marketer uses @marketing.contoso.com (or something similar). This is more secure because it specifically designates a zone for 3rd parties who communicate as them on their behalf.

Update

A new SPF (spf.protection.outlook.com) has been created that only references the O365 IP ranges.  This new SPF will begin to show in the Microsoft Online Portal UI (MOP) for managing domains in the next few weeks (~end of November 2012) and from that point forward, both Office 365 and Office 365 Preview tenants will see the new SPF as the value to include into the SPF for their domains.   This means all new and existing tenants (14 and 15) should be using the new SPF entry, which will cut down the total number of SPF record includes, keeping the total entries to less than 10 due to RFC.  Note that based on the below resource, the SPF include limits are based on NAMES/FQDNs as the receiving mail server will only take 10 names, which resolve to IPs which are collected and used for review.  If using one FQDN include and 9 other IP address include entries, the SPF effectively has 1 entry and is counted against the SPF include entry limit.

Resource:

SPF Permanent Error: Too many DNS lookups:  http://community.office365.com/en-us/f/148/p/870/7485.aspx?pageindex=1

Creation & Verification of Multiple Online Domains

Posted on Updated on

For admins who have many custom domains they need to create and verify, they can either use the manual process or you can use PowerShell to get these domains up and running in no time at all:

Steps

  1. Open a new Microsoft PowerShell for Online Services command-shell and connect into your Office 365 tenant.  Download here if you don’t have a copy:  http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx#BKMK_DownloadTheMOSIdentityFederationTool
    1. Connect-MSOLService [use Global Admin credentials]
  2. Create a new domains.txt or domains.csv file (your preference) with one column and a list of all your custom domains.
    1. Column: DomainName
  3. Import-Csv .\domains.txt | foreach { New-MsolDomain -Name $_.DomainName }
  4. Once the above process is complete, export the list of DNS records for each unverified domain:
    1. (Get-MsolDomain
      -Status Unverified).Name | foreach { Get-MsolDomainVerificationDns -Mode dnstxtrecord -DomainName $_ } | Select-Object Label, Text | Export-Csv DNS.txt
  5. Create your DNS records for each domain based on the information placed into the DNS.txt file, which will be located in the same folder where you run the above command.
  6. Once all DNS records are in place, you can complete this process by confirming all these PowerShell created unverified domains:
    1. (Get-MsolDomain -Status Unverified).Name | foreach { Confirm-MsolDomain -DomainName $_ }

Note – You can only have 50 unverified domains in your online tenant.  If you have more than 50 domains, you should perform these steps in batches of 50.

Auditing and Compliance in Office 365 for SharePoint & Exchange Messaging

Posted on Updated on

Auditing and Compliance in Office 365

Audience: Office 365 for Enterprise Administrators

Office 365 includes auditing and compliance features in Exchange Online and in SharePoint Online that you can use to help your organization meet its legal, regulatory, and organizational compliance requirements.  Office 365 administrators can configure these services for themselves without contacting Support.

Exchange Online

Here’s what you can do in Exchange Online to help your organization meet its compliance requirements:

  • Comply with data retention requirements or legal requirements by preventing the deletion of email messages.
  • Search for email items related to specific legal cases or requests from regulatory authorities.
  • Control the flow of messages and implement actions based on message content or on message senders and recipients.
  • Encrypt content and enforce email usage policies.

For more information, see Security and Compliance in Exchange Online for Office 365.

Exchange Online Audit Reports

Use audit logging to troubleshoot configuration issues by tracking specific changes made by administrators and to help you meet regulatory, compliance, and litigation requirements. Exchange Online provides two types of audit logging:

  • Administrator Audit Logging records any action, based on a Windows PowerShell cmdlet, performed by an administrator. This can help you troubleshoot configuration issues or identify the cause of security or compliance related issues.
    • Note – The following PowerShell operations against Exchange Online are not logged within Auditing lots:  Test-, Get-, and Search-.
  • Mailbox Audit Logging records whenever a mailbox is accessed by someone other than the person who owns the mailbox. Use this to see who’s accessing a mailbox and what they did.

Exchange Online Audit Reports:

SharePoint Online

Here’s what you can do in SharePoint Online to help your organization meet its compliance requirements:

  • Create and apply information management policies
  • Create content retention and expiration rules and policies
  • Search and create a hold to protect specific documents or items from expiration policies

For more information, see Records management and compliance in SharePoint Online.

SharePoint Online Auditing Reports

Configure Audit Settings for a Site Collection

You can use the SharePoint Online audit featureto track which users have taken what actions on the sites, content types, lists, libraries, list items, and library files of site collections. Knowing who has done what with a particular piece of information is critical for many business requirements, like regulatory compliance and records management.

Configure Events to Audit
  1. On the Site actions menu, click Site settings.
  2. If you are not at the root of your site collection, under Site Collection Administration, click Go to top level site settings.

Note:  The Site Collection Administration section will not be available if you do not have the necessary permissions.

  1. On the Site Settings page, under Site Collection Administration, click Site collection audit settings.
  2. On the Configure Audit Settings page, in the Documents and Items and List, Libraries, and Site sections, select the events you want to audit, and then click OK.

Which events you audit depends on your auditing needs. For example, regulatory compliance usually has specific requirements that will dictate which events you need to audit. We recommend that you only audit the events required to meet your needs. Additional unnecessary auditing can affect the performance and other aspects of the site collection.

Important   

If you are using SharePoint Online for Microsoft Office 365 for enterprises, auditing for Opening or downloading documents, viewing items in lists, or viewing item properties is not available because of storage and performance concerns.

View Audit Log Reports

You can use the SharePoint Online audit log reports to view the data in the audit logs for a site collection. You can sort, filter, and analyze this data to determine who has done what with sites, lists, libraries, content types, list items, and library files in the site collection. For example, you can figure out who deleted a particular piece of content.

View Audit Log Reports

To view an audit log report:

  1. On the Site actions menu , click Site settings.
  2. If you are not at the root of your site collection, under Site Collection Administration, click Go to top level site settings.

Note:  The Site Collection Administration section will not be available if you do not have the necessary permissions, such as by being a member of the default Site Collections Administrators group.

  1. In the Site Collection Administration section, select Audit log reports.
  2. On the View Auditing Reports page, select the report that you want, such as Deletion.
  3. Type or Browse to the library where you want to save the report and click OK.
  4. On the Operation Completed Successfully page, click “click here to view this report.”

Notes 

  • Excel 2010 must be installed to view audit log reports by clicking click here to view this report.
  • Alternatively, if opening documents in the browser is enabled for the library, go to the library where you saved the audit log report, point to the audit log report, click the down arrow, and then click View in Browser.

You can now use standard Excel features to narrow the reports to the information you want. Some ways in which you can analyze and view the log data include:

  • Filtering the audit log report for a specific site.
  • Filtering the audit log report for a particular date range.
  • Sorting the audit log report.
  • Determining who has updated content.
  • Determining which content has been deleted but not restored.
  • Viewing the changes to permissions on an item.