In this talk I go through SPF, Sender ID, DKIM, and DMARC to demonstrate and explain how all of these technologies come together to improve your email security. I also showcase a demo of O365 and how vulnerable it is to phishing by common mistakes and demonstrating how the whitelist function is really dangerous.
2. Write-Output “Hello”
I’m Wesley Kirkland
I have over 3 years of Systems Engineering experience
consisting of On Premise, Cloud, and automation.
Currently I work at Ministry Brands as a Sr. Systems
Engineer working with PowerShell, Azure, and Office
365.
3. SPF (Sender Policy Framework)
● Declared Experimental in 2006 (RFC4408)
● Proposed Standard (RFC7208)
● DNS Records: TXT and not Type 99
● VERP (Variable envelope return path)
○ Example: wikipedians-
owner+bob=example.org@example.net
● SPF Oddities
● SPF Nesting
● Include Types
○ A
○ MX
○ PTR
○ ip4
○ ip6
○ Include
○ Redirect
○ Exists
■ Dynamic
■ %{i}._spf.s$domain.$tld
5. SPF 2.0
● Wait What!
● Sender ID
○ Obsolete
○ Independent
● Microsoft
○ Developer
○ Open Specification Promise
● Example:
○ SPF: v=spf1 include:spf.sign-up.to ~all
○ Sender ID:spf2.0/pra include:spf.sign-up.to ~all
○ Sender ID: spf2.0/pra,mfrom include:spf.sign-up.to ~all
● Major ESPs (Email Service Providers)
○ AOL
○ Bell Canada
6. DKIM (DomainKeys Identified Mail)
● Proposed Standard in 2007 (RFC4871, RFC6376)
● Digitally signing email via asymmetric encryption
○ Validated via DNS public key
○ selector1._domainkeys.$domain.$tld
● Verify the integrity of your mail across the internet
● Actions (Pass, Fail)
● Adoption
7. DMARC (Domain-based Message
Authentication, Reporting & Conformance)
● SPF Alignments
● DKIM Alignments
● Reporting
a. Aggregate
b. Forensic
● Policies
a. None
b. Quarantine
c. Reject
● Use cases
a. Phishing Protection
b. Simplifying Email Delivery
c. Domain Reputation
● DMARC on the 2016 Election
14. Get-Contact
◇ Github: https://github.com/wesleykirkland
◇ Email: wesley@wesleyk.me
◇ Web: wesleyk.me
◇ Linkedin: WesleyKirkland
◇ Twitter: @UnleashTheCloud
All examples can be found be found below
https://github.com/wesleykirkland/PowerShell-
Email-Security
Editor's Notes
Who likes email, and the management of it? - Pause
Yes?
You must be lying, email is a sin and an absolutely terrible thing to manage.
No?
Good because neither do I, everything I’m presenting on is from a lesson learned standpoint
I will be presenting on email security, routing, security, and some really useful websites that you may not know about
Why did I do this?
A little over a year ago I switched jobs to Ministry Brands to become a Sr. Systems Engineer, with my primary project being to migrate the company to Office 365
I got thrown into the deep end on this and had to learn from the ground up, and I’m hoping to share some of my lessons learned
Every major email system in so many different accounts (~50 different environments)
Rackspace Exchange/IMAP
G Suite
On Premise Exchange
AppRiver
O365
This is not about the migration path, but more on how I learned about email security
It feels like SPF is old, but it’s really not that old by true standards, SPF is primarily a authentication mechanism
SPF uses the alignment of the domain in the return path of a message
SPF is not always an option, some providers are incapable of adjusting their return paths. Which makes them SPF incapable
What I thought about SPF
It was a hard yes/no
You have/had to have it
It was unlimited in length
We use Campaign Monitor at work and it’s SPF incapable, what is funny is they are not aware of it as their support doesn’t realize it
Variable Return paths are called VERP
Very useful for mass mailers
By encoding the recipient address in the left half of the email mass mailers can track bounces better
Email halfs left vs right
Some DNS providers will offer a resource record type of 99, this is a legacy standard leftover from RFC4408 (Section 3.1.1)
Odd Things
10 DNS lookup limit
Designed by Scott Kitterman to reduce latency, and DNS abuse, DNS DOS attacks
Mimecast is one of the major providers who observes this
DNS string concatenation
This can be used for when you have SPF records over 255 characters, Route 53 supports this and you just can’t have spaces in between your records
https://kb.isc.org/article/AA-00356/0/Can-I-have-a-TXT-or-SPF-record-longer-than-255-characters.html
Still limited to 512 characters/octets (8 bits to an octet)
SPF Nesting
This is a very common practice, you include a SPF record like GSuite. Since GSuite has so many sending IPs and to avoid DNS string concatenation they include sub SPF records
Example on my personal domain
https://mxtoolbox.com/SuperTool.aspx?action=spf%3awesleyk.me&run=toolpage
Example on discovery.com
This one is good since it actually
https://mxtoolbox.com/SuperTool.aspx?action=spf%3adiscovery.com&run=toolpage
Types
A
A records on a domain, if not domain is specified then the current domain in scope
MX
This is just a pet peeve of mine, specify it in CIDR or a DNS include
For example rackspace is a massive email server, their MX servers are not their sending server(s)
PTR - Discouraged
Causes excessive DNS lookups
IP (CIDR or IP)
IP4
IP6
Include
Note if a include fails with a perm error it will be passed back up the tree
Redirect
Simply redirect your SPF record
Dynamic
This has the ability to create a dynamic SPF record with unlimited DNS includes
Salesforce.com uses this for their MTA (Mail Transport agent)
One option may to do SPF flattening - https://dmarcian.com/spf-survey/
You have to keep this up to date, a few online services assist with this
fraudmarc.com
ondmarc.com
Source: http://www.openspf.org/SPF_Record_Syntax
SPF Fails
+all - The owner of the domain doesn’t care or thinks SPF is useless
N/A - None this is the default when you register a domain
?all - Neutral, the sending server does not specifically authorize or deny any sending IPs
~all - SoftFail, the sending server has a list of authorized IPs and is a weak statement that suggests it’s not an authorized sender and the publisher hasn’t locked down their SPF record
Many email providers will suggest an ~all record for implementation, this basically means anyone can send as you
-all - HardFail, if the sending IP isn’t in the SPF it’s not authorized to send on behalf of the domain
Various types of errors
TempError - This is typically a transient DNS error, in which the packet was lost. Further checks generally are successful
PermError - This means the publishers DNS records could not be interpreted correctly
Fun fact O365 will cut you some slack and treat two separate SPF records
O365 will also do other fun things for you so you almost always accept email
Why -all isn’t always an option
Earlier I mentioned SPF incapable mailers, this is the only legitimate reason for ~all (SoftFail)
This would only be used when you have non compliant SPF mailers and your recievers don’t comply with DMARC
Source: https://tools.ietf.org/html/rfc7208
I actually learned about this while doing research on this topic, Microsoft was a large supporter of Sender ID and licensed it
Eventually it was put under the Microsoft Open Specification Promise - https://en.wikipedia.org/wiki/Sender_ID#Intellectual_property
Not compatible with all open source licenses including GNU 3.0
The OSP is not a licence, but rather a Covenant Not to Sue. It promises protection but does not grant any rights.
It’s not actually SPF 2.0 and never will be, it’s called Sender ID
Example - Notice how they are almost exactly the same?, which
SPF
Sender ID - pra (Purported Responsible Address)
Sender ID - pra (Purported Responsible Address)/mfrom (Mail From)
PRA
Purported Responsible Address - Selected via a algorithm
Sources:
http://www.openspf.org/SPF_vs_Sender_ID
https://support.signupto.com/hc/en-gb/articles/201806438-An-introduction-to-SPF-Sender-ID-and-DKIM
https://tools.ietf.org/html/rfc4407
https://en.wikipedia.org/wiki/Sender_ID#Intellectual_property
Used to verify the integrity of your mail in transit, primarily for mail authentication
Usually you sign the body of the messages only, most email providers modify headers in transit
Actions - DKIM does not inform the receiver to take a specific action
Pass - Your mail might as well be happy
Fail - You can take action on this and mark it as spam or straight up reject
Adoption
Has not been as fast as had hoped
Besides security, it really only helps with DMARC
Notes
Some older versions of Exchange modify the body which invalidates it for forwarding
Yahoo modifies the body to say forwarded by Yahoo
Sources:
https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/
DMARC - I can remember almost every IT acronym except for this which is to long!
DMARC is all about policy enforcement, your protecting your Brand Identity and your users
Email forwarding
DMARC can actually break email forwarding and break it 100% if you don’t use DKIM
During forwarding the return path is modified and will invalidate SPF, another technology that Google is a supporter of it ARC (Authenticated Received Chain)
DKIM survives email forwarding most of the time, unless you modify the content of the email
Show dmarcian example of DMARC forwarding breakag
Something to remember, all your doing is preventing your brand/mail from getting spoofed. You still need to properly train your users.
SPF Alignment
Things to note, SPF does not survive mail forwarding or indirect mail flows such as SDR (Split Domain Routing)
Aligning the return path domain/ips to your SPF record
DKIM alignment
Relaxed - Digitally signed with DKIM from a domain and it’s signature verifies
Strict - Digitally signed with DKIM on the sending domain, signing domain and header from domain match
Reporting
NOTE: O365 does not publish DMARC reports and there are no plans to - https://blogs.msdn.microsoft.com/tzink/2018/05/21/a-way-to-sort-of-approximate-dmarc-aggregate-reports-in-office-365/
Aggregate - Just take my word on this, pay for an actual aggregation service instead of digging through the reports yourself. It’s a bunch of varying XML
Forensic - Individual copies of redacted emails with header information
Note: Google does not believe in RUF reports for security reasons
Privacy Concerns
Potentially high in volume
Not required to successfully deploy dmarc
Policies
None - Used for data gathering
Quarantine - Ask the mail provider to quarantine your mail for further analysis or send it to junk
You can do this in percentages with a specific tag, so it’s not a all or none event
Reject - Straight up reject any non compliant mail
Use cases
Phishing Protection
Marking all legitimate and out right rejecting non legitimate mail
Simplifying Email Delivery
If mail is DMARC compliant, then it’s safer to bypass spam scanning on messages especially form trusted senders
SPAM filters are just a super complicated set of rules to see if your mail is legit, and all mail is legit on the internet right?
Domain Reputation
Less dependant than IPs - Example O365 uses the same IPs for everyone, same thing with Symantec, Mimecast, Rackspace, Sendgrid, Mailchimp, etc.
Wouldn’t a reputation for your domain be better than a shared IP address?
DMARC on the 2016 Election
donaldjtrump.com is 100% vulnerable to spoofing even to this day
Hillaryclinton.com had a quarantine policy in place
Fun stuff
How Microsoft.com went to DMARC quarantine - https://blogs.msdn.microsoft.com/tzink/2016/09/27/how-we-moved-microsoft-com-to-a-pquarantine-dmarc-record/
EOP and DMARC: https://blogs.msdn.microsoft.com/tzink/2014/12/03/using-dmarc-in-office-365/
I’m not showing who is in quarantine mode, as it’s a ramp up process except when your at 100%. Then you’re waiting to flip the switch.
This is an example of major ESPs and their DMARC policies, at work with some of our web hosting customers. They like to blame us when they spoof a major ESP and their mail doesn’t get through. So we then have to explain to them they don’t own their gmail/aol address, but rather they are using a service they don’t control.
BOD 18-01
Securing our governments internet facing infrastructure
Forcing HTTPS/HSTS connections
Mail servers must offer STARTTLS
SPF and DMARC must be implemented for first and second level domains
Disable legacy encryption protocols
Secure Sockets Layer (SSL)v2 and SSLv3 are disabled on mail servers
3DES and RC4 ciphers are disabled on mail server
October 16th, 2018
This is the final compliance date and all government domains MUST be compliant
Current goverment DMARC rollout - https://www.securityweek.com/dmarc-fully-implemented-half-us-government-agencies
When you register a new domain it is 100% open to any email spoofing it?
This is because there are no restriction
SPF is all you need
When I first started my job I was a big believer in SPF because that’s all I ever learned
Domain Whitelisting
I’ve actually discovered a fairly massive bug within Rackspaces emailsrvr.com infrastructure that fails to validate DKIM signing
Their current workaround is to whitelist any email containing a specific header based upon the header from address, I’ll let you ponder that one for a moment
As for domain whitelisting as a whole this is a terrible idea, Mimecast actually informed me about it. If you whitelist a domain, your allowing in any mail that claims to be that domain, and it doesn’t have to validate any checks (FACT CHECK, and test)
If time allows show a demo of each one of these
DNSTrails - Historical DNS information, really useful for diagnosing when DNS errors occurred and for phishing
MXToolbox - This website just does everything, SPF, DKIM, DMARC, Header Analysis, DNS, WHOIS, Network checks, TL;DR: It’s amazing and free!
EXCRA - Microsoft Header Analysis tool, a.k.a Microsoft Remote Connectivity Analyzer
Dmarcian’s DMARC Inspector, show all tags and implied tags
CheckTLS - Verify a mail servers security against all possible MX/IP records quickly. Also proof email addresses easily
Emkei’s Fake Mail - Test against phishing/spoofing attacks
DKIM Validator - Verify SPF and DKIM alignments and information
Who wants to volunteer their personal email domain
Demo
RDP phishing.thatsnothowthat.works:3389
Showcase our domains “security features”
SPF - Hard Fail
DMARC - Reject
Junk Mail Filtering - Or lack of it
Connectors and transport rules, we are not applying any inbound protection
Test with whitelist of our internal domain
I’ve been able to successfully test this in a hybrid environment and bypass the spam filter. This is because O365 is not very secure by default, and cares more about deliverability rather than security
Show lucidchart diagram - https://www.lucidchart.com/documents/view/10784609-a0f8-4eab-9d9b-2b8d4a9fed62
Note how my fake emails get marked as junk
This wasn’t true when I started this demo, maybe try on work VPN if time allows
SCL is 9
Need to do more testing, I’m getting SCLs ranging from 5-9
Examples: Fake mailer on wesleyk.me the DMARC rejection will come to SPAM
Header analysis demo
Fun story about a semi local company in town
I identified they weren’t spoofed but hacked and emailed them on how to fix their email, I ended up getting a response form their CEO in less than 24 hours
Sendgrid - You just need an API key and sendgrid will let you send as any domain without any kind of verification that your affiliated with the domain. This truely pisses me since they have no default security and primarily care about profit
Sendgrid doesn’t have a way to find out what domains you are spoofing which is very annoyinh
Mandrill - Mandrill has a bad taste in my mouth from when the shut down their API service and went to Mailchimp only
MailChimp - Only requires a email verification to start sending mail
You just have to receive an email at the domain and click a verification link
They don’t require you to do SPF and DKIM validation
Some more notes about our environment
We straight up rejection non DMARC compliant mail for our internal DMARC compliant domains
We don’t whitelist senders, we make them make their mail compliant
Unless they straight up do a SPF hardfail, or fail DKIM then we mark them as spam
If they fail DMARC then we bounce the message
I only know of one false positive and that was a lastpass forwarded message and they have an active DKIM signing issue
It actually requires a significant amount of effort to truly whitelist a domain in Mimecast
We employ a tactic called greylisting, yeah it pisses some of our users off. But we bounce 1200 messages a week currently that don’t even make it to spam
Displayed above is my contact information.
There is a shameless self plug that I would like to mention. You will see “The PowerShell Conference Book”, earlier this year I had a wonderful opportunity to contribute to this book. It’s designed to be conference style talks written in each chapter. With over 30+ chapters, each author is a SME on each subject that they have written about. All royalties go directly to the Devops Collective OnRamp scholarship fund, which helps underrepresented individuals get a head start in the IT Industry. If you are above above a intermediate user to advanced user I highly suggest you check out this book.