An Introduction To The DMARC SMTP Validation Requirements
0 likes597 views
The document discusses DMARC (Domain Message Authentication, Reporting & Conformance), a framework designed to prevent email spoofing through authentication tools like SPF and DKIM. It highlights the importance of proper server configuration and user awareness in combating phishing attacks, as well as the complexities of implementing DMARC protocols effectively. Additionally, it emphasizes the need for thorough planning and testing before deploying DMARC to ensure effective management of fraudulent email attempts.
An Introduction To The DMARC SMTP Validation Requirements
- 1. July 2018 Understanding DMARC Gabriella Davis - IBM Lifetime Champion for Social Business Technical Director The Turtle Partnership
- 3. Gab Davis ✤ Admin of all things and especially quite complicated things where the fun is ✤ Working with the design, deployment and security of IBM technologies within global infrastructures ✤ working with the real world security and privacy aspects of expanding data ecosystems ✤ Stubborn and relentless problem solver ✤ http://turtleblog.infohttps://www.turtlepartnership.com ✤ IBM Lifetime Champion
- 5. Relaying ✤ Using Your Servers ✤ Routing mail through “good” servers that are owned by a company gives “bad” mail validity ✤ Properly configured servers stop that happening ✤ It takes only a few poor configured servers to successfully route millions of emails ✤ This is an administrative not a user problem ✤ It doesn’t hurt your users who don’t receive the mail ✤ It does cause bottlenecks on your servers trying to send mail ✤ Receiving hosts are often designed to check that the claimed sending domain matches the address header ✤ It can result in your servers being blacklisted and not being able to send mail
- 6. Blacklists My SMTP host listening on port 25/465 for any mail SMTP mail not just for my domain: turtleweb.com My SMTP host listening on port 25/465 for any mail SMTP mail not just for my domain: turtleweb.com Spam Generating Server domain: fakemail.com Scans for any open listening host which will accept mail not for their own domain Domain being spammed domain: rivers.com Carries the return_path in the message header
- 7. Preventing and Protecting Relaying ✤ Lock down servers to only accept mail for your own domains ✤ Use an edge service to verify valid domains ✤ Use SPF records ✤ These define the identities of servers sending mail from your domains ✤ Receiving servers can check if the domain in the message header has an SPF record for the connecting server ✤ Many receiving domains and servers do not accept mail without SPF validation now ✤ SPF records are no longer enough
- 8. SPF gab@turtleweb.com creates email to tim@gmail.com turtleweb.com SMTP Server ip: mail.turtleinfo.net gmail.com SMTP listener turtleweb.com DNS Record SPF Entry turtleweb.com. IN TXT "v=spf1 mx a ip4:79.99.66.142 a:mail.turtleinfo.net” gmail checks SPF record in DNS to verify if the sending server is approved
- 9. Phishing ✤ Phishing - collecting personal information voluntarily from the user ✤ Phishing scams can use spoofing techniques in order to seem more genuine to the user ✤ Over 30% of phishing emails are opened ✤ Phishing can often be combined with spoofing to give the request more authenticity but the goal is to gather information ✤ the goal of spoofing is usually to deliver a malicious payload ✤ Preventing phishing should simply be a case of user awareness
- 10. Why Don’tTheseTechniquesWork ✤ Technical solutions do work if deployed rigidly, however: ✤ Mail systems are often complex ✤ If I want a user to send mail via my SMTP server, I can’t relay check ✤ The risk of rejecting valid mail is greater than the risk of accepting fraudulent mail ✤ People I want to receive email from often haven’t set up their own SPF records
- 11. UserTraining Isn’t Enough ✤ Phishing increasingly relies on sophisticated social engineering designed to win trust ✤ Users are aware of risk so the mails have become more sophisticated ✤ The iOS problem ✤ Verbal verification is not always possible ✤ We need better ways of validating the source of mail before it reaches the user and becomes their responsibility
- 12. Content Filtering ✤ Edge services specifically designed to check content ✤ estimates put the % of spam to around 90% of received mail ✤ Filtering has moved from checking for certain words or phrases to checking message structure ✤ it didn’t take long for spammers to work out how to fool word filters
- 13. Defining DMARC
- 14. DMARC ✤ Domain Message Authentication Reporting and Conformance ✤ created by Google, Paypal, Microsoft and Yahoo ✤ A combination of processes and policies that provide both validation of messages and reporting of fraudulent attempts ✤ These include SPF, content scanning, and DKIM ✤ DMARC policies tell the receiver what to do with non-validated messages, resulting in useful data returned to the sender
- 15. SPF gab@turtleweb.com creates email to tim@gmail.com turtleweb.com SMTP Server ip: mail.turtleinfo.net gmail.com SMTP listener turtleweb.com DNS Record SPF Entry turtleweb.com. IN TXT "v=spf1 mx a ip4:79.99.66.142 a:mail.turtleinfo.net” gmail checks SPF record in DNS to verify if the sending server is approved
- 16. DKIM - DomainKeys Identified Mail (simplified) ✤ A public/private key pair used to process every sending message ✤ DKIM ensures the receiving server that the message is valid and has not been tampered with turtleweb.com sending server creates a hash using its private key containing both my sending address and the subject and attaches it to the message header before sending gmail.com receiving server decrypts the hash using the public key to verify it is both correct and unchanged before delivering the mail to tim DNS turtleweb.com's DNS record contains the public key used by mail.turtleweb.com to encrypt “sender and subject” sends an email to tim@gmail.com
- 17. DMARC Policies ✤ Faked mail appears and disappears often without the genuine domain owner knowing ✤ most systems just bounce, delete or quarantine the messages ✤ without knowing the scale of faked mail or even that someone is impersonating my company how can I stop it? ✤ DMARC configuration has two parts ✤ telling the receiving server what to do with non genuine mail ✤ telling the receiving server where to send summary reports of non genuine mail ✤ DMARC deployed correctly allows us to both pre-emptively manage faked mail and have visibility of its existence
- 18. Deploying DMARC
- 19. Constructing SPF Records ✤ Several sites help you construct your SPF records including ✤ spfwizard.net and mxtoolbox.com ✤ If you are unsure of the syntax, use one of these sites ✤ Mail failing a SPF check is then tagged ✤ Fail - resulting in non delivery ✤ Softfail - increased likelihood of being tagged as spam ✤ Neutral - ignore failure
- 20. Deploying DKIM ✤ The sending mail server must support DKIM encryption ✤ If it doesn’t then you will either have to install a DKIM custom package or route mail through a server that does support it ✤ Some DKIM mail services http://dkim.org/deploy/index.html ✤ The inbound server must support DKIM decryption ✤ many edge mail services do (postini, proofpoint, barracuda, O365 etc) ✤ IBM have a tech request open from 2011 for DKIM but there isn’t enough demand for it in Domino (especially now). ✤ If you’re interested the SPR is JFBM7ELEQY
- 21. Creating A DKIM Record ✤ Use OpenSSL or a site such as ✤ https://www.socketlabs.com/domainkey-dkim-generation-wizard ✤ https://www.port25.com/dkim-wizard ✤ Store the generated public key in a TXT record in your domain ✤ Configure the DKIM package or enabled server to use the private key
- 22. DMARC Planning ✤ Enabling DMARC takes a significant amount of planning and testing ✤ The point of DMARC is to tell receiving servers to reject, delete or deliver your mail ✤ configured incorrectly it can result in all your sent mail disappearing ✤ Start with test domains! ✤ Start with reporting-only policies ✤ Ensure you have an email address / mailbox configured for the DMARC reports ✤ These will tell you if someone is sending mail as your domain that don’t meet your SPF and DKIM settings
- 23. DMARC Deployment ✤ Use a DMARC wizard such as https://mxtoolbox.com/DMARCRecordGenerator.aspx or https:// www.unlocktheinbox.com/dmarcwizard/ to review your options and create the right syntax ✤ DMARC questions include: ✤ How do you want mail that fails DMARC to be treated by the recipient? ✤ Where do you want your aggregate reports sent to? ✤ Do you want forensic (individual) reports generated on specific failures such as SPF or DKIM ✤ Zone file TXT entry ✤ "v=DMARC1; p=none; sp=none; rua=mailto:dmarcreport@turtleweb.com; ruf=mailto:dmarcanalysis@turtleweb.com; rf=afrf; pct=100; ri=86400”
- 24. DMARC and Domino ✤ Domino doesn’t support ✤ SPF checking ✤ DKIM key encryption ✤ DKIM decryption ✤ It’s unlikely to do so ✤ Edge services do support both SPF checking and DKIM encryption ✤ For DKIM encryption outbound, Domino mail can be routed through a SMTP relay with an installed DKIM package ✤ or someone could write a DKIM add in for Domino
- 25. DMARCWithout DKIM ✤ It’s possible to deploy DMARC records that only have rules for SPF not DKIM ✤ Why would you do that? ✤ To get analysis reports on sent mail behaviour (example from dmarc.org)
- 26. Create DMARC Record ✤ From mxtoolbox.com
- 27. Create DMARC Record ✤ From mxtoolbox.com
- 28. Summary ✤ Email isn’t going away ✤ DMARC isn’t a single solution, it’s a combination of technical tools and processes ✤ Many of the technical tools have been around for years including SPF, Reverse DNS and DKIM ✤ but not deployed widely as being too complex ✤ We have to take more responsibility for protecting people from sophisticated phishing attempts not just from content ✤ DMARC is increasingly being required by receiving servers wanting to protect their customers but it can also help you identify your threat level