Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Nathan McNulty Profile picture
@NathanMcNulty
Sep 23, 2021 11 tweets 10 min read Read on X
Scrolly
DMARC: Domain-based Message Authentication, Reporting and Conformance

Phew, that's a mouthful. Let's simplify this a bit.

DMARC lets you tell other mail servers what to do about email sent from your domains - apply policy and report

If you haven't done SPF/DKIM, do that first:
If you're using O365 and don't have DMARC reports going somewhere useful, you can now set this up for free:

microsoft.com/security/blog/…

Now, I'm not a big fan of how they handle DNS... but it's free? I've always used @dmarcian and really prefer the way they do it.

But let's test!
@dmarcian Cool, well, let's sign up:
use.valimail.com/Brand-Reputati…

Once you submit the form, you'll get a confirmation email with a link to activate your account

Following the link will take you to a page to set up your password. Heads up though, the password requirements are terrible... 😫
@dmarcian Whoops, not sure if this error is because I struggled with the password, adblock, or something else.

If you get this error, just go to app.valimail.com and it should start you off with this really nice wizard.

They did a really nice job of making this look easy :p
@dmarcian So there is a guided walkthrough of the options they want us to configure

I think this is really nice and helpful for those who are stuck as email / DNS admins and don't want to know how this stuff works 🤭

We already did SPF/DKIM, but I guess I'll try this... for science :)
@dmarcian So click on the spinning caret (lol), and we'll be taken to the setup for DMARC

Here's what I don't like - a NS record 🤮

dmarcian just gives you an email address to put in your dmarc record. Valimail is trying to make life easier, so I get it.

So I reluctantly add to DNS :p
@dmarcian We should now be able to hit verify DNS, and it will now show a checkmark next to DMARC record

Next, I click on SPF

Not too happy with a ~ (soft fail), but I guess if you are trying to clean it up, you probably aren't wanting to start at - (hard fail)

Same process as before
@dmarcian OK, so I guess we're delegating DKIM to them via NS record too

Uggh, I'm not sure I want to do this with one of my dev domains much less a prod one :-/

But I'm going to finish it and see if I have other options once I play around in here a while

Same process as DMARC/SPF
@dmarcian If you've been following along, your DNS will probably look something like the image below

At this point, it looks like the default policy is None. You can click the SET DMARC POLICY button to view and make changes.

Now to generate a lot of email now to populate the dashboard
OK, so I'm pausing here, and let's recap

DMARC lets us tell email servers to send reports to Valimail when they receive emails from my domains

Valimail uses this to show who is sending email as my domains (like asset inventory) so I can clean up my SPF and add DKIM where needed
The goal is to get SPF to -all (hard fail) and DMARC to a policy of reject

We don't want a reject policy telling everyone to throw away email from Marketing's awesome SaaS service though

DMARC prevents spoofing of your domain, which helps you AND everyone else you send email to

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
Feb 9
Ever need to find out what Entra authentication methods your users are using but don't have Log Analytics/Sentinel? :)

It's not as difficult as you might think! To get started, log into the Entra portal, go to Sign-in logs, set the date range to 1 month, then download the JSON: Image
Image
Now go to and set up your free cluster if you've never done that before. Once you have created the cluster and database, right click on the database, select Get data, select Local file, create a table for SigninLogs, select it, add your JSON, and import. dataexplorer.azure.comImage
Now you can run queries! :)

SigninLogs
| extend AuthMethod = ['authenticationDetails'][0]['authenticationMethod']
| extend AuthMethodDetail = ['authenticationDetails'][0]['authenticationMethodDetail']
| extend MfaMethod = ['authenticationDetails'][1]['authenticationMethod'] Image
Read 4 tweets
Nathan McNulty Profile picture
Nov 5, 2025
Sign-In Frequency (SIF) is a commonly misunderstood control, one many orgs use to inflict unnecessary suffering on their employees 😩

It probably doesn't work the way you think it does and is often used in less than ideal ways...

So let's look at how it works and when to use it Image
To understand authorization controls (Conditional Access), we need to understand the authentication tokens it evaluates

When we log into a Hybrid or Entra joined device, we authenticate to Entra and get a Primary Refresh Token (PRT) with the time of the event in it

The "issue": Image
PRTs renew at login/unlock if older than 4 hours, but only the factor used has the time updated

If we use a password to log in, the time for password is updated but not MFA... 💡

If we use a strong auth methods to log in, like Hello or passkeys, time of both factors are updated Image
Read 9 tweets
Nathan McNulty Profile picture
Jan 25, 2025
Hello for Business works great with AD integrated apps (Kerberos/NTLM), but it requires setting up a trust model

Very poorly generalized, Hello uses certificates that AD doesn't understand, so we need a way to request a Kerberos ticket with the certs

This is crazy easy now 🧵
Before I share how easy it is now, I want to share why people still hate Hello because its history was way more complicated

Originally we had certificate trust which required full PKI deploying certificates to all of your devices and AD

Doing this properly was really hard...
So with Server 2016, Microsoft introduced a massive improvement - key trust

This meant we only needed to put certificates on domain controllers

This was so much easier, but it still required PKI and setting up the templates

And a hybrid model was added to support Azure AD... Image
Read 6 tweets
Nathan McNulty Profile picture
Jan 24, 2025
I think the most common misunderstanding of Conditional Access is its relationship to authentication, and this results in not understanding how the rest of the controls actually work

Conditional Access performs authorization by evaluating tokens from the authentication service
This provides important insights 💡

CA policies cannot block anything until AFTER authentication occurs

This means CA cannot help with password spray/credential stuffing. This is why we have Password Protection and Smart Lockout.

learn.microsoft.com/en-us/entra/id…
learn.microsoft.com/en-us/entra/id…
This also means an attacker blocked by a CA policy either has a valid username/password or has a stolen token

When we don't understand this, we don't monitor and respond, and we give attackers more time with valid credentials

Identity Protection helps here, but it isn't perfect
Read 7 tweets
Nathan McNulty Profile picture
Jan 20, 2025
You likely aren't collecting all available events to the Unified Audit Log

First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything).

Retention is based on license... Image
This policy only applies to users with the Microsoft 365 Advanced Audit SKU assigned, audit records are retained for 1 year. Audit records for users without this SKU are retained for 180 days (thanks CISA for the bump up from 90 days!)

Second, this still doesn't get everything..
Next we have to enable all the records for mailbox auditing

But wait, Microsoft totally pinky promises that you don't need to manage these records because they enable them for you



It would be nice if they actually enabled everything, but they don't :-/ learn.microsoft.com/en-us/purview/…Image
Read 6 tweets
Nathan McNulty Profile picture
Sep 6, 2024
A common ask I get often is:

I want to require fresh strong authenticaton from a compliant device (or specific devices) when someone activates a role via PIM

So let's walk through that scenario really quick

If anything is unclear, just try harder!

I'm kidding, ask away 😜
First, if the built-in phishing resistant auth strength works for you, use it

If not, we can customize exactly what we want (avoid requiring one not allowed in another poilcy)

We can even define AAGUIDs to specify exact models of keys that must be used

learn.microsoft.com/en-us/entra/id…
Image
Second, we need to create an authentication context

This is like a label used to tie PIM activation to a specific Conditional Access policy. The name can be changed any time 😉


In our access token, this is the 'acr' value
learn.microsoft.com/en-us/entra/id…
learn.microsoft.com/en-us/entra/id…Image
Image
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(