Bootcamp
Shehzad Mirza Director of Operations [email protected] [email protected] Bootcamp Plan and upcoming Webinars
• Weeks 1-2: Getting Started • Bootcamp Introduction and DMARC Overview • Overview of DMARC, SPF and DKIM • Weeks 3-4: Time to Implement! • Demonstrations on how to implement DMARC on Windows DNS, BIND and a Cloud-based DNS Provider. • Participants should implement DMARC during these weeks • Weeks 5-6: On Going Management: Analyze, Review and Adjust • What to look for in DMARC reports and what needs to be adjusted before moving to an enforcement policy
2 2 Bootcamp Resources
• Community Forum – community.globalcyberalliance.org • Bootcamp resource page - dmarc.globalcyberalliance.org/dmarc- bootcamp/
3 Introduction to SPF and DKIM
4 Sender Policy Framework (SPF) • Defines which mail servers are authorized to send mail for the organization’s domain SPF • uses the “envelope from” to determine Sender Policy the sending domain Framework • TXT record on Domain Name Server (DNS) • Can only have one SPF record
6 SPF
7 SPF DNS TXT Record
• Basic: Name:
• Complex: Name:
8 The TXT record will always begin with this. This defines the version of v=spf1 SPF being used. Currently SPF version 1 is the only available version
If this is included, then the incoming mail servers (MXes) of the mx domain are authorized to also send mail for that domain SPF Tags This part should only be included if there are other systems, other a:
include: Everything considered legitimate by a trusted external domain is
ipv4: This should be used if only IP addresses are available ipv6:
9 ptr • Use the source-ip's PTR and a reverse map query exists • The existence (any valid A record) of the specified domain allows the test to pass redirect SPF Tag • Redirects verification to use the SPF (con’t) records of the defined domain exp • defines a DNS name whose TXT record's text may be returned with any failure message • must be at end of policy Macro-expressions - complex and confusing
10 • -all – Hard Fail • only the domain’s mail servers (and those in the ‘a’ and ‘include’ sections) are allowed to send SPF ‘all’ tag mail for the domain. All other are prohibited. • ~all – Soft Fail • if email is from a server not on the policy, the message is still accepted but marked as non compliant. • ?all • explicitly that nothing can be said about validity. • +all • means that any host can send mail for the domain. This should never be used.
11 Example SPF Record
• v=spf1 mx include:_spf.google.com -all
• v=spf1 mx include:spf.protection.outlook.com –all
• v=spf1 include:spf.protection.outlook.com ip4:161.11.10.20 –all
12 Items Needed for SPF
• Access to org’s public DNS • Determine if MX records are being used • IP address or domains of systems sending on organization’s behalf • If 3rd party vendors support SPF • what needs to be added to your SPF • Confirm SPF alignment (make sure sending domain is using org’s domain)
13 SPF Alignment Good: From: [email protected] Return-Path:
Fail: From: [email protected] Return-Path: < [email protected] > Received-SPF: pass (google.com: domain of bounce-mc.us15_71628198.660451- [email protected] designates 205.201.133.58 as permitted sender) client-ip=205.201.133.58;
To achieve a passing SPF alignment, the From: header domain must match the domain used to authenticate SPF (e.g., envelope “mail from:” “return-path” domain).
14 SPF Aligntment
15 SHORTFALLS
• Recipient server must decide how to handle failed messages • Once implemented, there is no mechanism to determine if the message was rejected or bounced • If used alone, any other domain using the same hosting provider can still forge mail of other domains • 10 domain lookup limit • does not validate the “header from”, but uses the “envelope from” to determine the sending domain
16 10 Domain Lookup Work Around
• SPF Flattening • Use IP address instead of domains name • Be extremely careful
• Dynamic SPF • Capability provided by various DMARC Vendors
17 DomainKeys Identified Mail (DKIM) Validates a domain’s identity that is associated with a mail message by using authentication in the form of a digital DKIM signature DomainKeys Identified Mail TXT or CNAME Record on Domain Name Server (DNS) • Can have more than one record
19 Generate DKIM Keys
• Two Keys • Private Key • Public Key • Key generation is dependent on: • If you are using an external service for both mail and DNS (i.e. G Suite or 0365) • If the organization has its own email server or gateway
20 DKIM with 3rd Party Mail Providers and Marketing Systems
• The mail provider will provide you with the public key. This public key is then published as a TXT or CNAME record in DNS. • Some cases, the mail provider will supply the full DNS TXT record. • The private key is held by the mail provider and typically not provided to the organization.
21 DKIM with Organizations Mail Server or Gateway
• Some Mail gateways will generate the DKIM Keys (i.e. Cisco Ironport and Mimecast). • Linux - an open source project called opendkim (http://www.opendkim.org/) is available. • contains various tools to assist with creating the DKIM key and for integrating DKIM signing into various mail systems • MS Exchange – dkim-exchange (github) • Another option is to use OpenSSL to generate the DKIM keys. • Private Key: openssl genrsa -out dkim-private.pem 1024 -outform PEM • Public Key: openssl rsa -in dkim-private.pem -out dkim-public.pem -pubout -outform PEM • Move the DKIM Private Key in the location specified by the DKIM installation. • Make sure it is in a folder with restricted access.
22 DKIM DNS TXT Record name:
23 DKIM Record Name
•
• _domainkey - required
•
24 DKIM Tags
• k=rsa – defines key algorithm used • p=
25 Items needed for DKIM
• Access to public DNS • Define selector • DKIM key generator and signing tool • built-in to mail server or email security gateway • provided by 3rd party email provider • If 3rd party vendors support DKIM • what needs to be added to DNS (TXT or CNAME record) • Confirm DKIM alignment (make sure signing server is using org’s domain)
26 DKIM Alignment
Message Header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalcyberalliance.org; s=gca; h=mime-version:references:in-reply- to:from:date:message-id:subject:to :cc;
27 Shortfalls
• Does NOT define what to do if signature is bad or good • No reporting mechanism • Does NOT determine if the sender server is allowed to send outgoing mail for a specific domain • Allows for recipient filters to determine the authenticity of the mail message being sent • recipient server must decide how to handle failed messages.
28 Domain-based Message Authentication, Reporting & Conformance
Policy that will define SPF and DKIM (the A or Authentication in DMARC) and must work together using the policy level defined by your DMARC organization (which is the C or Conformance in DMARC), as well as add a reporting feature (the R or Reporting in DMARC).
Uses Domain Name Server to define the policy
29 DMARC with SPF and DKIM
• Resolves most issues with SPF and DKIM • Domains using the same hosting provider or coming from org mail servers – Implement SPF and DKIM • DMARC will utilize SPF and DKIM checking • DMARC Reports • DMARC indicates what to do with message if either were to fail or pass
30 Next Webinars:
DMARC Technical Details and Windows DNS Sept 24th or Oct 1st
DMARC Technical Details and BIND Sept 25th or Oct 2nd
DMARC Technical Details and Cloud DNS Sept 26th or Oct 3rd Bootcamp Resources
• Community Forum – community.globalcyberalliance.org • Bootcamp resource page - dmarc.globalcyberalliance.org/dmarc- bootcamp/
32 Q&A
33 Thank You!
Shehzad Mirza [email protected] [email protected]