Shehzad Mirza Director of Operations [email protected] [email protected] Introduction to SPF and DKIM Sender Policy Framework (SPF) • Defines which mail servers are SPF authorized to send mail for the Sender Policy organization’s domain • Uses the “envelope from” to determine Framework the sending domain • TXT record on Domain Name Server (DNS) • Can only have one SPF record
4 SPF
5 SPF DNS TXT Record
• Basic: Name:
• Complex: Name:
6 SPF Tags
7 ptr • Use the source-ip's PTR and a reverse map query exists • The existence (any valid A record) of the specified domain allows the test to pass SPF Tags redirect (Cont’d) • Redirects verification to use the SPF records of the defined domain exp • Defines a DNS name whose TXT record's text may be returned with any failure message • Must be at end of policy Macro-expressions - complex and confusing 8 SPF ‘all’ tag
• -all – Hard Fail • only the domain’s mail servers (and those in the ‘a’ and ‘include’ sections) are allowed to send mail for the domain. All others are prohibited. • ~all – Soft Fail • if email is from a server not on the policy, the message is still accepted but marked as non-compliant. • ?all • explicitly that nothing can be said about validity. • +all • means that any host can send mail for the domain. This should never be used. 9 Example SPF Record
• v=spf1 mx include:_spf.google.com -all
• v=spf1 mx include:spf.protection.outlook.com –all
• v=spf1 include:spf.protection.outlook.com ip4:161.11.10.20 –all
10 Items Needed for SPF
• Access to org’s public DNS • Determine if MX records are being used • IP address or domains of systems sending on organization’s behalf • If 3rd party vendors support SPF • what needs to be added to your SPF • Confirm SPF alignment (make sure sending domain is using org’s domain)
11 SPF Alignment Good: From: [email protected] Return-Path:
Fail: From: [email protected] Return-Path: < [email protected] > Received-SPF: pass (google.com: domain of bounce-mc.us15_71628198.660451- [email protected] designates 205.201.133.58 as permitted sender) client-ip=205.201.133.58;
To achieve a passing SPF alignment, the From: header domain must match the domain used to authenticate SPF (e.g., envelope “mail from:” “return-path” domain). 12 SPF Alignment
13 Shortfalls
• Recipient server must decide how to handle failed messages • Once implemented, there is no mechanism to determine if the message was rejected or bounced • If used alone, any other domain using the same hosting provider can still forge mail of other domains • 10 domain lookup limit • does not validate the “header from”, but uses the “envelope from” to determine the sending domain
14 10 Domain Lookup Work Around
• SPF Flattening • Use IP address instead of domain’s name • Be extremely careful • Dynamic SPF • Capability provided by various DMARC Vendors • Using Macros • Email stream dedicated subdomains • Avoid unnecessary include statements
15 DomainKeys Identified Mail (DKIM) Validates a domain’s identity that is DKIM associated with a mail message by using authentication in the form of a digital DomainKeys signature Identified Mail TXT or CNAME Record on Domain Name Server (DNS) • Can have more than one record
17 Generate DKIM Keys
• Two Keys • Private Key • Public Key • Key generation is dependent on: • If you are using an external service for both mail and DNS (i.e., G Suite or 0365) • If the organization has its own email server or gateway
18 DKIM with 3rd Party Mail Providers and Marketing Systems
• The mail provider will provide you with the public key. This public key is then published as a TXT or CNAME record in DNS. • In some cases, the mail provider will supply the full DNS TXT record. • The private key is held by the mail provider and typically not provided to the organization.
19 DKIM with Organizations Mail Server or Gateway
• Some Mail gateways will generate the DKIM Keys (i.e., Cisco Ironport and Mimecast).
• Linux - an open source project called opendkim (http://www.opendkim.org/) is available.
• Contains various tools to assist with creating the DKIM key and for integrating DKIM signing into various mail systems
• MS Exchange – dkim-exchange (github)
• Another option is to use OpenSSL to generate the DKIM keys. • Private Key: openssl genrsa -out dkim-private.pem 1024 -outform PEM
• Public Key: openssl rsa -in dkim-private.pem -out dkim-public.pem -pubout -outform PEM
• Move the DKIM Private Key in the location specified by the DKIM installation.
• Make sure it is in a folder with restricted access.
20 DKIM DNS TXT Record
name:
21 DKIM Record Name
•
• _domainkey - required
•
22 DKIM Tags
• k=rsa – defines key algorithm used • p=
23 Items needed for DKIM • Access to public DNS • Define selector • DKIM key generator and signing tool • Built-in to mail server or email security gateway • Provided by 3rd party email provider • If 3rd party vendors support DKIM • What needs to be added to DNS (TXT or CNAME record) • Confirm DKIM alignment (make sure signing server is using org’s domain)
24 DKIM Alignment
Message Header: From: [email protected]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalcyberalliance.org; s=gca; h=mime-version:references:in-reply- to:from:date:message-id:subject:to :cc;
25 Shortfalls
• Does NOT define what to do if signature is bad or good • No reporting mechanism • Does NOT determine if the sender server is allowed to send outgoing mail for a specific domain • Allows for recipient filters to determine the authenticity of the mail message being sent • recipient server must decide how to handle failed messages.
26 Domain-based Message Authentication, Reporting, & Conformance
Policy that will define SPF and DKIM (the A DMARC or Authentication in DMARC) and must work together using the policy level defined by your organization (which is the C or Conformance in DMARC), as well as add a reporting feature (the R or Reporting in DMARC).
Uses Domain Name Server to define the policy 27 DMARC with SPF and DKIM
• Resolves most issues with SPF and DKIM • Domains using the same hosting provider or coming from org mail servers – Implement SPF and DKIM • DMARC will utilize SPF and DKIM checking • DMARC Reports • DMARC indicates what to do with message if either were to fail or pass
28 Bootcamp Resources
• Community Forum – community.globalcyberalliance.org • Bootcamp resource page - dmarc.globalcyberalliance.org/dmarc- bootcamp/
29 Next Webinars:
DMARC Technical Details and Windows DNS - Sept 29th
DMARC Technical Details and BIND - Sept 30th
DMARC Technical Details and Cloud DNS – Oct 1st Q&A Thank You!
Shehzad Mirza [email protected] [email protected]
Copyright @ 2020 Global Cyber Alliance