Steve Galloway | Comstat | Ruthin, North Wales

How to backup your Microsoft 365 Authenticator credentials

by Steve Galloway | May 9, 2025

Backup Microsoft Authenticator settings

***Microsoft operates Microsoft Authenticator from its Entra ID service and procudeures in this post have been superceded with effect from September 2025. Instead, click here to read the latest guidelines for Microsoft Authenticator MFA account backup.***

*****

Backup and restore your Microsoft 365 multi-factor authentication (MFA) credentials to restore access to 365 dashboards in the event of a lost or stolen mobile phone.

This option is especially useful for 365 tenancy owners/global administrators. For example, if you are a 365 tenancy owner/Global Administrator (global Admin) then you cannot turn to a higher authority to re-establish credentials if your credentials are lost.

Click on the headers below to find out how to backup Microsoft Authenticator on Apple and Android mobile phones.

Why backup has to be configured

Microsoft Authenticator data is not included in iCloud and Android mobile phone backups because the security keys are critically sensitive. Instead, you can organize Authenticator data backups in Microsoft Authenticator app settings. Authenticator backups can then be saved to Google Drive/iCloud, however you have to be verify identity against a Microsoft account to validate your identity when restoring credentials.

Microsoft Account vs Microsoft 365 account

You need a Microsoft account to backup and restore Microsoft Authenticator credentials. A Microsoft account and a Microsoft 365 account are two different entities. Without a Microsoft account you cannot back up your 365 credentials.

If you have a Microsoft account, but you have fogotten your credentials, you may need to establish a new Microsoft account. Do not lose the credentials to your Microsoft account. If you forget these credentials, you will not be able to connect Microsoft Authenticator on a new mobile phone to restore your settings. This would be catastrophic, so be sure to document your Microsoft Account credentials.

How to backup Microsoft Authenticator

Use the steps below to configure backup in Microsoft Authenticator settings. The process may vary from notes here because Microsoft updates its processes periodically. Also, the process might vary depending on your mobile phone hardware and operating system. Either way, prompts are not difficult to follow. These tips will steer you in the right direction:

Open Microsoft Authenticator on your mobile phone
Access Settings: Tap the three vertical dots at the top right corner and select <Settings>
Enable <Backup>*
Depending on your hardware, provide your Microsoft Account credentials if/when asked**

* Apple users will need to be sure Authenticator is logged in to iCloud.

** In some cases, users may already be logged in to existing Microsoft Accounts, however the backup process will direct you to provide credentials as necessary.

Recovery & Summary

To recover your credentials, install Microsoft Authenticator on your new mobile phone. Usually, the <Welcome> screen offers an option to <Begin Recovery>. This option depends on your hardware and software versions. The process is a little different for Apple and Android users, and is easily executed provided you have the credentials for iCloud/Google account, and your Microsoft Account.

You should periodically check Authenticator backup settings to verify backups are current. Authenticator app settings will confirm when your credentials were last backed up.

Authenticator offers options in settings to override Android or Apple screen-lock defaults. Also, some Apple and Android versions may need Authenticator enabling to run in the background. This can be checked in Authenticator settings.

Summary

Tenancy owners and global admins do not have scope to resort to a higher authority to restore access to a 365 dashboard if their mobile phone is lost or destroyed. Therefore it is crucial to your organization’s IT continuity to protect your access settings to 365 Admin. Microsoft Authenticator enables you to restore existing credentials which cannot otherwise be found in Android and Apple backups.

For help, contact us using WhatsApp via our web site, or by phone.

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including web design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.

Configure DMARC using cPanel

by Steve Galloway | Apr 12, 2025

Authenticate outgoing email with DMARC

Configure DMARC (Domain-based Message Authentication, Reporting, and Conformance) to help protect your domain name from being used for email spoofing. Unless you configure DMARC, email that you send can be dropped by a receiver’s email server before reaching that user’s Inbox.

Click on the headers below to follow our guide to obtain a DMARC record using cPanel WHM and then configure your DMARC record in your domain name’s zone record at your domain registrar. Click on images to see in full resolution.

How to prepare

DMARC is already enabled on your web server. DMARC builds on DKIM and SPF, so before implementing DMARC, be sure to implement DKIM first.

Before you configure DMARC in your domain name’s zone record, you will need to understand where your domain name is managed. If your domain name is held at a domain name supplier using their nameservers, you will need to configure DMARC records in your domain name’s zone record at your supplier. If you own the domain, but we hold it in our management portfolio, then you might only need to make amendments in cPanel which will make things easier.

Therefore, before you start, prepare as follows:

if in doubt, check with us where your records need modifying
find your cPanel login credentials from your server information sheet
(optionally) find the login credentials for your domain name supplier

We recommend you add a DMARC record to your domain name’s zone record which initially operates DMARC in test mode. Our workflow therefore is designed to accomplish this preliminary objective.

Making adjustments to your domain name’s zone record requires exacting language and sytax. A missing character can cause a web site to cease functioning and disable your email. Nor can you test it – changes made have effect in real time. Be sure to copy records before overwriting “last known working” states.

Step-by-step instructions

Follow these instructions caefully to configure DMARC and activate the service. Each step is important. Missing characters like colons, semi-colons, and spelling mistakes can cause a lot of work.

1. Log in to cPanel:

open your web browser
enter your cPanel URL (e.g., https://yourdomain.com:2083)
log in with your cPanel credentials

2. Navigate to <Zone Editor>

in cPanel dashboard, scroll to <Domains> section
find and click open <Zone Editor>

3. Look for a DMARC Record:

in Zone Editor, find the domain you want to check
click <Manage> next to the domain
look for a TXT record with the name: _dmarc.yourdomain.com
if you do not see one, you will need to create it

4. Create or Modify a DMARC Record:

if you need to create a new DMARC record, click <Add Record>
choose <TXT Record> from the <+Add> dropdown list
in the <Name> field, enter: _dmarc
in the <TTL> field, leave the default value
in the <Type> field, select: TXT
in the <Record field>, enter your DMARC policy. For now, use:
• v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; sp=none; pct=100
for <mailto:> substitute your preferred email address• see notes below
select and copy the record field to clipboard or notepad. You will need this later

5. Save the DMARC Record:

Click <Save Record> to apply the changes

6. Log in to Your Domain Registrar:

in a new browser window, go to your domain registrar’s website
log in with your credentials

7. Access DNS Management:

find the DNS management or zone file settings
this section allows you to add or edit DNS records

8. Add the DMARC Record you created in steps 4 and 5 above:

Add a new TXT record
in the <Name> field, enter: _dmarc
in the <Value> field, paste the DMARC policy you created and copied earlier in cPanel
Save the changes

9. Verify the new DMARC record:

Use online tools like MXToolbox to verify your DMARC record
Check for typos like missing colons or spaces, or inaccurate spelling

Notes:

DMARC is a technology that operates on a few levels. The record we gave an example for you to use above is for a DMARC policy that shows DMARC is enabled, but not reactive (p=0). The record can be modified to p=quarantine and p=reject which cause emails that fail a test to be either quarantined or rejected by a receiver. In some circumstances like emails sent to a mailing list, values for sp and pct can also affect how your outgoing email is received.

By using policy p=0 and establishing the email address of the person you want to receive DMARC reports, you have a minium valid record. Once this tests positive, consider upgrading the policy to p=quarantine.

Summary

DMARC builds upon existing protocols like SPF and DKIM to help domain name owners specify how their organisation’s emails should be treate by receiving email servers that fail authentication checks. This is important because it helps to prevent a malicious party from attempting to use your email addresses to purport to be you using spoofing and phishing attacks. Consequently, you can configure DMARC a few ways.

Making adjustments to your domain name’s zone record requires exacting language and syntax. A missing character can cause a web site to cease functioning and disable your organisation’s email. Nor can you test a modification first – changes made have effect in real time.

Expert help available

We have decades of experience managing domain names on behalf of clients. If you are nervous about dealing with this technology, we can provide admin support for domain names and ongoing services. We can turn modifications in minimal time at reasonable cost while saving you from risk of web site and email disruption – please ask for help if in doubt.

cPanel email account considerations

by Steve Galloway | Apr 4, 2025

cPanel and email accounts

cPanel’s standard web server configuration includes Roundcube Webmail and integrated calendar calendar system. This utility is provided as-is, which means that housekeeping and backups are improtant considerations. Email is a problematic technology. Note that support may be subject to charges for problems like disk space overruns, IP blacklisting, and other disruptions if you have not arranged for ongoing support. Also, we reserve the right to intervene if it is necessary to stop services if there is a threat to equipment or if there is a breach of fair usage policy.

Your web server has primarily been optimized for WordPress and supporting MySQL database functionality. Be aware that problems with email may affect your server’s ability to deliver web pages. If you intend to operate more than two or three email addresses you should really use a platform like Microsoft 365 which copes with business needs better than this service can. However, if you provide thorough housekeeping, your email server can scale to several accounts before having to consider migrating to services like Microasoft Exchange.

Lastly, there are some technologies that you need to activate within cPanel to condition your service for commercial operation. This article explains some things you can do to improve “trust” and meet standards that your suppliers require.

Click on the headers below to read more about important email considerations.

Email is a complex technology

Email is a problem for organizations of all sizes. Email consumes ever-increasing storage. Also, extra security features are necessary to pass scrutiny of email gateways at banks and other important suppliers. Without these utilities in place there is a risk that important emails might not reach their destination.

As businesses grow, increasing in-house management means it becomes cost-effective to migrate email to a platform like Microsoft 365. This way, email services are constantly improved behind the scenes by the people who help dictate the conditions for email logistics worldwide.

Organizations that need to cater for multiple email accounts should consider Microsoft 365, whose “out-of-the-box” platform (Exchange) is the overwhelming solution of choice for commerce, public sector, and military. Microsoft 365 scales to the needs of global enterprises. Also, 365’s nominal cost obviates unknown costs that organizations might incur with “self-serve” solutions.

Planning - email storage

Your web server is designed to deliver web pages promptly. As your historical email volume grows over time on your web server, resources will be increasoingly re-directed to manage email. This is one reason why most businesses use different equipment to manage web and email services.

Storage – how much?

Microsoft 365 provides 50GB expandable mailbox limits for individual accounts. This is not realistic for a web server that is designed for web page delivery. Without hardware upgrades, we recommend that email accounts should be limited to 2GB -5GB.

Attachments – links save disk space

Even at Microsoft’s larger scale, file attachment are limited to 15MB by default. This is because large files cause network congestion and rapidly increasing mailbox sizes. Organizations have learned to use file distribution via email with permission-enabled links to files stored elsewhere. This leaves large files out of the equation for email disk space and this approach is GDPR-compliant. We recommed that you adopt a similar approach to conserve mailbox space. cPanel can be configured to limit file attachment sizes, but this requires intervention by us to configure your hardware. Please contact us for help.

Long term storage – archiving

Archiving is available in cPanel email accounts, but archives still need cleaning. Microsoft 365 is capable of compressing email that is archived, and rules can automate spent email deletion. Note too that Microsoft enables network admins to prevent accidental or malicious deletion of email which is not possible in cPanel.

Email validation - configuration

Modern email gateways perform a number of tests and scores to validate every email intended for receipients within its network. The principal security tests are SPF, Reverse DNS, DKIM, and DMARC. These tests are important because they help build a picture for receipients that verify that you are a legitimate sender and that the content in the message you have sent has not been altered or replaced between end-points.

cPanel can diagnose and recommend patchs to improve your email validation tools.

Without these four services, there is a risk that email can be rejected by organizations like banks, suppliers, and customers. Click on the links to find out more about each technology/protocol.

SPF

SPF is enabled by default in cPanel. You do not need to update your server.

Reverse DNS

Reverse DNS technology is installed in cPanel by default, however its functionality depends on where your domain name’s authoritative zone record is stored. If the zone record is established on your web server, the protocol’s record is determinative in that zone record. If your domain name’s zone record is managed at a domain name registrar, you will need to review and probably edit your record. The syntax for this record, including the correct IP address, is available in cPanel email configuration. Reverse DNS is important. because other technologies like DKIM and DMARC depend on Reverse DNS.

DKIM

DKIM was introduced worldwide in early 2025. The technology is installed on your server, but your domain name’s zone record needs to be modified for the protocol to work. This cannot be performed automatically, and therefore your domain name’s authoritative zone record has to be modified. cPanel provides the record that you need to add, however domain name zone records are notoriously fragile. Accidental corruption of a domain name’s zone record can crash your web site and associated services for up 72 hours. So, you should contact us for help.

DMARC

DMARC is another technology that is enabled in cPanel but requires implementation in your domain name’s authoritative zone record. Also, the security can be incremented in steps according to your zone record’s syntax. So, DMARC needs manually configuring. We recommend using DMARC in “test” mode initially.

Email is an evolving technology and industry standards change over time to respond to threat. cPanel email is provided as-is, so it is your responsibility to configure email services unless we provide support for your email environment. Please contact us for help with implementation.

Shared address book/calendar

You can centralize contacts in a centralized address book which can be accessed by all email account users. This is referred to as a system managed address book and it is equivalent to Microsoft 365’s Global Address Book. This is a GDPR compliant feature and is encouraged because it provides all users with a single point of contact for internal and external organizational contacts. Also, it reduces the risk of data leakage because it enables you to ringfence business contacts from employees’ personal address books.

To add or edit contacts, login to your webmail account, open contacts, and look for the address book called cPanelCardDav. Each email accont holder will see this address book in their contacts page.

Similarly, a shared calendar is available in Webmail calendar as cPanel CalDav Calendar.

Sync adresses and calendars with iPhone/Android

Webnmail can be accessed from your mobile phone. You can bypass Roundcube and access server contacts/calendars via Apple and Android clients. We are developing user-friendly notes for enabling sync services. For now, see cPanel configurations notes for CalDAV (calendar) and CardDAV (contacts) here.

IP blacklisting and email blocks

When sufficient emails from an email account in your organization fails a security tests as it transits the Internet, public authorities like Symantec can blacklist your server’s IP address and cause email associated with your domain name to be dropped before email reaches its destination. This is catastrophic. It can take hours to understand the nature of the problem, and it can take 72-96+ hours to purge your blacklisting. Meanwhile, you cannot send email.

Microsoft 365 and Google Workspace measure outgoing email forensically before it is released in public domain, and customers’ email servers are programmed “out-of-the-box” with toolsets that allow suspicious activity to be reconciled before corrupt email hits the public domain.

Be aware that if you are using cPanel email without support,restoring services in the event of blacklisting is not subject to an SLA and may incur charges. Also, blacklistings may compromise web site performance and SEO rankings.

Summary

cPanel email accounts can be configured with protocols like those listed above to help secure email efficacy. Also, cPanel’s email module supports calendar sharing and shared address books. A centralised address book is a fundamental GDPR component.

There are several issues like data leakage and malicious deletion which are beyond the scope of this article that cPanel does not natively provide for. If you are considering using cPanel email accounts at an organizational level, bear in mind that Microsoft 365 and Google Workspace assume these obligations for minimal cost and save you from managing this complex technology yourself. This saves an organization a lot of effort and trouble.

Lastly, by separating email and web servers, the risk of losing both services simultaneously in the event of one component failing is minimized.

Configure DKIM in cPanel

by Steve Galloway | Apr 3, 2025

Verify outgoing email with DKIM

Use DKIM (DomainKeys Identified Mail) to reduce the chance of your users’ outgoing emails ending up in customer/supplier Spam or Junk folders.

Click on the headers below to follow our guide to configure DKIM using cPanel WHM and post your DKIM records in your domain name’s zone record at your domain registrar. Click on images to see in full resolution.

How to prepare

DKIM is already enabled on your web server. However, the service needs to be implemented. This is because the verification process requires checking a unique DKIM record which only you can add to your domain name’s “phone book” – we call the phone book a zone record. If we have ongoing access to your domain name, we would take care of this as part of the support we provide.

Before starting, you will need to understand where your domain name is managed. If your domain name is held at a domain name supplier using their nameservers, you will need to create DKIM records in the zone record at your supplier. If you own the domain, but we hold it in our management portfolio, then you might only need to make amendments in cPanel which will make things easier.

Therefore, before you proceed, prepare as follows:

if in doubt, check with us where your records need modifying
find your cPanel login credentials from our server information sheet
(optionally) find the login credentials for your domain name supplier

We are able to manage domain names on behalf of clients. Domain name management is a critical function and unwitting errors can cause email and web site failure. If you are nervous about dealing with this technology, we can provide admin support – ask for help. For instance, if you do not have in-house expertise, we can take administrative custody of your domain to manage these kinds of jobs.

Step-by-Step instructions

1. Log in to WHM:

Open your web browser.
Enter your WHM URL (e.g., https://your-server-ip:2087).
Log in with your root credentials.

2. Access the DKIM Settings:

In the WHM dashboard, search for <Email>.
Click on <Email Deliverability>.

3. Select the Domain:

Choose the domain you want to configure DKIM for.
Click <Manage> next to the domain.

4. Enable DKIM:

In the DKIM section, click <Install the Suggested Record>.
WHM will automatically generate the DKIM record.

5. Copy the DKIM Record:

After generating the DKIM record, you will see a TXT record.
Copy the entire TXT record, including the v=DKIM1; part.

6. Log in to Your Domain Registrar:

Open your domain registrar’s website.
Log in with your credentials.

7. Access DNS Management:

Find the DNS management or zone file settings.
This section allows you to add or edit DNS records.

8. Add the DKIM Record:

Add a new TXT record.
In the Name field, enter the selector and domain (e.g., default._domainkey.yourdomain.com).
In the Value field, paste the DKIM record you copied from WHM.
Save the changes.

9. Verify the DKIM Record:

Go back to WHM.
In the <Email Deliverability> section, click <Manage> next to your domain.
Click <Check> to verify the DKIM record.

10. Test Your DKIM Setup:

Send a test email to ensure DKIM is working.
Use online tools like DKIMValidator to check if your email passes DKIM checks.

Tips for Non-IT Users

Take Your Time: Follow each step carefully.
Ask for Help: If you get stuck, don’t hesitate to ask your registrar’s support team.
Double-Check Entries: Ensure there are no typos in the DKIM record.

Summary

Business users do not have a lot of patience when it comes to email, and not a lot of people check Spam or Junk occasionally if at all. Email that is lost in this way costs business so DKIM, along with SPF (automatically configured for you already, DMARC, and Reverse DNS are necessary utilities for providing resilient email delivery.

Expert help available

We have decades of experience managing domain names on behalf of clients. If you are nervous about dealing with this technology, we can provide admin support for domain names and ongoing services – we can turn modifications in minimal time at reasonable cost and while saving you from risk of web site and email disruption – please ask for help if in doubt.

Configure Reverse DNS (RDNS)

by Steve Galloway | Mar 4, 2025

Reverse DNS

Reverse DNS, also called rDNS, is used by email servers to verify your email has reached it from an email server and IP address that you own. rDNS is crucial for email deliverability and server reputation. For instance, web site contact forms often fail because Reverse DNS is not configured properly and emails are dropped before reaching a web site owner’s Inbox. This is why SPF, rDNS, DKIM, and DMARC are so important in business email.

Your web server’s zone record is already configured to a rDNS mapping so you should not need to intervene unless you are operating exceptional circumstances.

Click on the headers below to follow our guide to record a Reverse DNS/PTR record in your domain name’s zone record at your domain registrar. Click on images to see in full resolution.

How to check rDNS is configured

At the moment, your web server already resolves rDNS, and the record posted in cPanel > Email > Email deliverability should already resolve to:

```
Name: 10.183.202.88.in-addr.arpa.
```
```
Value metal1.namesfirst.net.
```

Note that the IP address is recorded in the <Name> field. This is usually illegal logic, and that is why this record has to be specially handled by the owner of the IP address block your server relies on: it requires a “reverse” entry which means it has to be handled at “datacenter” level.

rDNS is a not always an easy DNS feature to deal with. Please contact us for advice if you are in doubt about your server configuration.

Summary

Reverse DNS is an important tool that remail servers rely on to verify that email you send is recognized as valid. Without this validation, you may send email that is rejected or dropped before it reaches a recipient’s Inbox.

Expert help available

« Older Entries

Next Entries »