Fighting Abuse with DNS
4 likes2,112 views
The document discusses email authentication methods including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). It describes how each method operates, their purposes in validating email messages, and the difficulties encountered, especially with mail forwarding. Additionally, it provides examples of DNS records for setting up SPF and DKIM, as well as their implications for email security.
![© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=;
b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
DKIM
Version
Wednesday 26 October 16](https://image.slidesharecdn.com/spf-dkim-dmarc-161027105141/85/Fighting-Abuse-with-DNS-24-320.jpg)
![© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=;
b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
DKIM
Signing
Algorithm
Wednesday 26 October 16](https://image.slidesharecdn.com/spf-dkim-dmarc-161027105141/85/Fighting-Abuse-with-DNS-25-320.jpg)
![© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=;
b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
canonicalization algorithm: "relaxed"
algorithm that tolerates common
modifications such as whitespace replacement
and header field line rewrapping
Wednesday 26 October 16](https://image.slidesharecdn.com/spf-dkim-dmarc-161027105141/85/Fighting-Abuse-with-DNS-26-320.jpg)
![© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=;
b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
Domain of the sending party,
this is where the public key to
verify the signature is located
Wednesday 26 October 16](https://image.slidesharecdn.com/spf-dkim-dmarc-161027105141/85/Fighting-Abuse-with-DNS-27-320.jpg)
![© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=;
b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
Subdomain selector: will pre
prepended to the domain to
fetch the DKIM public key
Wednesday 26 October 16](https://image.slidesharecdn.com/spf-dkim-dmarc-161027105141/85/Fighting-Abuse-with-DNS-28-320.jpg)
![© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=;
b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
Header-Fields signed by
the sending party
Wednesday 26 October 16](https://image.slidesharecdn.com/spf-dkim-dmarc-161027105141/85/Fighting-Abuse-with-DNS-30-320.jpg)
![© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=;
b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
Body-Hash: Hash of the
message body
Wednesday 26 October 16](https://image.slidesharecdn.com/spf-dkim-dmarc-161027105141/85/Fighting-Abuse-with-DNS-31-320.jpg)
![© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=;
b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
Signature over header
fields and Body-Hash
Wednesday 26 October 16](https://image.slidesharecdn.com/spf-dkim-dmarc-161027105141/85/Fighting-Abuse-with-DNS-32-320.jpg)
![© Men & Mice http://menandmice,com
SPF problem with forwarding
example.com
authoritative
DNS
example.com
outgoing
mail
receiving
mail server
sending mail from
user@example.com
on port 25
from 203.0.113.23
_domainkeys.example.com IN TXT “v=DKIM1; k=rsa; p=MIG[...]”
mail
forwarder
Wednesday 26 October 16](https://image.slidesharecdn.com/spf-dkim-dmarc-161027105141/85/Fighting-Abuse-with-DNS-37-320.jpg)
Fighting Abuse with DNS
- 1. © Men & Mice http://menandmice,com SPF, DKIM and DMARC Mail-Reputation and DNS Wednesday 26 October 16
- 2. © Men & Mice http://menandmice,com Sender Policy Framework Wednesday 26 October 16
- 3. © Men & Mice http://menandmice,com SPF •Sender Policy Framework (SPF) defines the addresses mails can be originated for a given domain •this information is stored in it’s own SPF-Format inside a TXT-Record • there has been a dedicated SPF record type, that has been deprecated because it was ignored by Mail- and DNS-admins •Website: http://www.openspf.org Wednesday 26 October 16
- 4. © Men & Mice http://menandmice,com SPF-Example •the Google SPF-Record google.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all" Mail-Sender Domain SPF-Format Version Include SPF- Information from subdomain Soft-Fail SPF- Checks Wednesday 26 October 16
- 5. © Men & Mice http://menandmice,com SPF-Example •the Google SPF-Record _spf.google.com. 299 INTXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" Includes of Google Network Blocks Wednesday 26 October 16
- 6. © Men & Mice http://menandmice,com SPF-Example •the Google SPF-Record _spf.google.com. 299 INTXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" Includes of Google Network Blocks Wednesday 26 October 16
- 7. © Men & Mice http://menandmice,com SPF-Example •the Google SPF-Record _netblocks.google.com. 3600 IN TXT "v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all" Google Mail-Sending addresses Wednesday 26 October 16
- 8. © Men & Mice http://menandmice,com SPF-Operation example.com authoritative DNS example.com outgoing mail receiving mail server sending mail on port 25 from 192.0.2.123 Wednesday 26 October 16
- 9. © Men & Mice http://menandmice,com SPF-Operation example.com authoritative DNS example.com outgoing mail receiving mail server sending mail on port 25 from 192.0.2.123 looking up SPF-Record for “example.com” Wednesday 26 October 16
- 10. © Men & Mice http://menandmice,com SPF-Operation example.com authoritative DNS example.com outgoing mail receiving mail server sending mail on port 25 from 192.0.2.123 example.com IN TXT “v=spf1 ipv4:192.0.2.0/24 -all” Wednesday 26 October 16
- 11. © Men & Mice http://menandmice,com SPF-Operation example.com authoritative DNS example.com outgoing mail receiving mail server sending mail on port 25 from 192.0.2.123 check if sending address is within SPF- Data Wednesday 26 October 16
- 12. © Men & Mice http://menandmice,com SPF-Operation example.com authoritative DNS example.com outgoing mail receiving mail server mail has been received Wednesday 26 October 16
- 13. © Men & Mice http://menandmice,com SPF issues •SPF is problematic with some mail functions where mail is send indirectly •mail-forwarding •mailing lists •webforms - http://bsdly.blogspot.nl/2016/10/is-spf-simply-too-hard-for-application.html Wednesday 26 October 16
- 14. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server mailing-list server sending mail from user@example.com on port 25 from 192.0.2.123 Wednesday 26 October 16
- 15. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server mailing-list server sending mail from user@example.com on port 25 from 203.0.113.23 Wednesday 26 October 16
- 16. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server mailing-list server sending mail from user@example.com on port 25 from 203.0.113.23 looking up SPF-Record for “example.com” Wednesday 26 October 16
- 17. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server mailing-list server sending mail from user@example.com on port 25 from 203.0.113.23 example.com IN TXT “v=spf1 ipv4:192.0.2.0/24 -all” Wednesday 26 October 16
- 18. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server mailing-list server sending mail from user@example.com on port 25 from 203.0.113.23 check if sending address is within SPF- Data Wednesday 26 October 16
- 19. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server mailing-list server sending mail from user@example.com on port 25 from 203.0.113.23 mail rejected, as the sender IP does not appear in the SPF data Wednesday 26 October 16
- 20. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server mailing-list server sending mail from user@example.com on port 25 from 203.0.113.23 mail rejected, as the sender IP does not appear in the SPF data Wednesday 26 October 16
- 21. © Men & Mice http://menandmice,com DKIM DomainKeys Identified Mail Wednesday 26 October 16
- 22. © Men & Mice http://menandmice,com DKIM • DKIM cryptographically signs selected mail headers and the mail content • DKIM is used to validate the mail message content but not to secure the transport path • No upgrade to User Client (Client E-Mail program) needed • But E-Mail Clients can offer per-User signing, as an option • DKIM Management can be “outsourced” (ISP, E-Mail Hosting Provider) • No PKI Infrastructure needed, only depends on DNS Wednesday 26 October 16
- 23. © Men & Mice http://menandmice,com DKIM • DKIM Website • http://dkim.org/ • Documents • RFC 5585 - DomainKeys Identified Mail (DKIM) Service Overview https://tools.ietf.org/html/rfc5585 • RFC 6376 - DomainKeys Identified Mail (DKIM) Signatures https://tools.ietf.org/html/rfc6376 • RFC 5863 - DomainKeys Identified Mail (DKIM) Development, Deployment, and Operations https://tools.ietf.org/html/rfc5863 • RFC 5617 - DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP) https://tools.ietf.org/html/rfc5617 • RFC 6377 - DomainKeys Identified Mail (DKIM) and Mailing Lists https://tools.ietf.org/html/rfc6377 Wednesday 26 October 16
- 24. © Men & Mice http://menandmice,com DKIM Signature in the Mail Header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...] DKIM Version Wednesday 26 October 16
- 25. © Men & Mice http://menandmice,com DKIM Signature in the Mail Header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...] DKIM Signing Algorithm Wednesday 26 October 16
- 26. © Men & Mice http://menandmice,com DKIM Signature in the Mail Header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...] canonicalization algorithm: "relaxed" algorithm that tolerates common modifications such as whitespace replacement and header field line rewrapping Wednesday 26 October 16
- 27. © Men & Mice http://menandmice,com DKIM Signature in the Mail Header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...] Domain of the sending party, this is where the public key to verify the signature is located Wednesday 26 October 16
- 28. © Men & Mice http://menandmice,com DKIM Signature in the Mail Header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...] Subdomain selector: will pre prepended to the domain to fetch the DKIM public key Wednesday 26 October 16
- 29. © Men & Mice http://menandmice,com Fetching the DKIM key •The DKIM public key can be found inside a TXT record at a domain name build from • selector • subdomain “_domainkey” • base mail domain (d: field) $ dig selector1-menandmice-com._domainkey.mennogmys.onmicrosoft.com TXT +short "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDenG16IONFpDPACAhDnCd/ N98W277rSbwSoatar767pSYtT+CClFqhmEePynSVGdS0RxIjFZscmVN5RZjnfD +HE1HL4XvUtxnnb1j0PeNfhrDHy7BHFGux6exfL7/splByKu7qhLBP10+SyAjiE4Qc6xWfCQ3MzmECZGW/ CzzmOQIDAQAB; n=1024,1450909615,1" Wednesday 26 October 16
- 30. © Men & Mice http://menandmice,com DKIM Signature in the Mail Header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...] Header-Fields signed by the sending party Wednesday 26 October 16
- 31. © Men & Mice http://menandmice,com DKIM Signature in the Mail Header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...] Body-Hash: Hash of the message body Wednesday 26 October 16
- 32. © Men & Mice http://menandmice,com DKIM Signature in the Mail Header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...] Signature over header fields and Body-Hash Wednesday 26 October 16
- 33. © Men & Mice http://menandmice,com DKIM operation example.com authoritative DNS example.com outgoing mail receiving mail server mail forwarder mail get signed with “example.com” private DKIM key Wednesday 26 October 16
- 34. © Men & Mice http://menandmice,com DKIM operation example.com authoritative DNS example.com outgoing mail receiving mail server mail forwarder sending mail from user@example.com on port 25 from 192.0.2.123 Wednesday 26 October 16
- 35. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server sending mail from user@example.com on port 25 from 203.0.113.23 mail forwarder Wednesday 26 October 16
- 36. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server sending mail from user@example.com on port 25 from 203.0.113.23 looking up DKIM public key for “example.com” mail forwarder Wednesday 26 October 16
- 37. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server sending mail from user@example.com on port 25 from 203.0.113.23 _domainkeys.example.com IN TXT “v=DKIM1; k=rsa; p=MIG[...]” mail forwarder Wednesday 26 October 16
- 38. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server sending mail from user@example.com on port 25 from 203.0.113.23 validating DKIM signed headers and body mail forwarder Wednesday 26 October 16
- 39. © Men & Mice http://menandmice,com SPF problem with forwarding example.com authoritative DNS example.com outgoing mail receiving mail server mailing-list server mail has been received Wednesday 26 October 16
- 40. © Men & Mice http://menandmice,com DMARC Domain-based Message Authentication, Reporting & Conformance Wednesday 26 October 16
- 41. © Men & Mice http://menandmice,com DMARC •DMARC builds on top of SPF and DKIM •it allows the owner of an email domain to publish a policy about SPF and DKIM failures •DMARC can be used to publish a feedback channel to let the domain owner know of spoofed mail from his domain •the DMARC policy is stored in DNS Wednesday 26 October 16
- 42. © Men & Mice http://menandmice,com DMARC •example DMARC record "v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@example.com" Protocol Version Wednesday 26 October 16
- 43. © Men & Mice http://menandmice,com DMARC •example DMARC record "v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@example.com" Policy for organizational domain Wednesday 26 October 16
- 44. © Men & Mice http://menandmice,com DMARC •example DMARC record "v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@example.com" Percentage of messages subjected to filtering Wednesday 26 October 16
- 45. © Men & Mice http://menandmice,com DMARC •example DMARC record "v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@example.com" Where to send the aggregated mis-use reports Wednesday 26 October 16