Each and every one of us uses it.. E-mail. But how well do we monitor this crucial channel? How can we avoid SPAM being sent from our domains? If you own a domain that sends email, the most effective action you can take is to set up DKIM, SPF and DMARC. As more, and more domains implement authentication, phishers are forced to target domains that are not yet protected. Hopefully not your domains? In this presentation we will look at the three protocols.
2. Why would we this?
4 People waste their time sorting SPAM
4 Lost money by phishing emails
4 banks, creditcards, invoices
4 No trust in their real message
4 Google force you to do!
2
12. My email has not arrived..
Lots of reasons
4 The code doesn't send the email
4 The server IP-adres is on the (RBL) blacklist
4 The receiver server doesn't trust your IP-adres
4 The content is marked as SPAM
4 The email policy is not configured or not optimal
12
13. My email has not arrived..
What can we do about it?
4 Check the function of the script
4 Check the server IP-adres on the (RBL) blacklist
4 Submit for removal
4 Checking the email policies [SPF/DKIM]
4 Using email services providers
13
14. How we did it the old days
2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 Warning: "SpamAssassin as theuser detected message as NOT spam (0.0)"
2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm <= maillinglist@domain.com H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 P=esmtps X=TLSv1:AES256-SHA:256 CV=no
S=21778 id=384a86a39e83be0d9b3a94d1feb3119f@domain.com T="Daily Science Maillinglist: Chameleon" from for user@example.com
2016-04-01 05:00:14 [1534] 1Ov4tU-0000Nz-Rm => user F= P= R=virtual_user T=virtual_userdelivery S=21902 QT=6s DT=0s
2016-04-01 05:00:15 [1534] 1Ov4tU-0000Nz-Rm Completed QT=7s
14
27. SPF
4 Created in 2003
4 Which mail servers are used to send mail from your
domain
4 Publish an SPF record in our DNS records
4 Technical method to prevent sender address forgery
27
28. SPF
This technology requires two sides to play together
1. The domain owner, publishing an SPF record
2. The receiving server, checking for domain SPF
records
28
29. SPF
If the message comes from an unknown server, it can be
considered as fake and could be rejected.
29
30. SPF record - JCID
Let's look at an example
jcid.nl. TXT "v=spf1
include:spf.jcid.nl
include:_spf.google.com
include:spf.mandrillapp.com
include:_spf.exactonline.nl
-all"
30
31. SPF record - SweetLake PHP
The parts of the SPF record mean the following:
sweetlakephp.nl. TXT "v=spf1
+a
+mx
include:spf.mandrillapp.com
~all"
4 v=spf1
4 a
4 149.210.152.247
4 mx
4 mx.transip.email
4 include:spf.mandrillapp.com
4 ~all
31
38. SPF - The "ip4" & "ip6" mechanism
"v=spf1 ip4:192.168.0.1/16 -all"
Allow any IP address between 192.168.0.1 and 192.168.255.255.
"v=spf1 ip6:1080::8:800:200C:417A/96 -all"
Allow any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF.
38
39. SPF - The "a" & "mx" mechanism
a
a/<prefix-length>
a:<domain>
a:<domain>/<prefix-length>
mx
mx/<prefix-length>
mx:<domain>
mx:<domain>/<prefix-length>
39
40. SPF - The "include" mechanism
include:<domain>
Example
include:spf.mandrillapp.com
40
41. SPF - The "include" mechanism
Exact Online Example
ip4:xxx.xxx.xxx.xxx ip4:yyy.yyy.yyy.yyy ip4:zzz.zzz.zzz.zzz
41
53. SPF results
An SPF record can return any of these results:
1. Pass
------------
2. Fail
3. SoftFail
------------
4. Neutral
5. None
------------
6. PermError
7. TempError
53
55. SPF result
1 - Pass (accept)
Received-SPF: pass (bob.example.org: domain of
alice@example.com
designates 192.0.2.1 as permitted sender)
receiver=bob.example.org; client_ip=192.0.2.1;
envelope-from=alice@example.com;
helo=mailout00.controlledmail.com;
55
56. SPF result - Receiver
Received-SPF: pass (bob.example.org: domain of alice@example.com
designates 192.0.2.1 as permitted sender)
receiver=bob.example.org; client_ip=192.0.2.1;
envelope-from=alice@example.com; helo=mailout00.controlledmail.com;
receiver=bob.example.org
the host name of the SPF client
56
57. SPF result
Received-SPF: pass (bob.example.org: domain of alice@example.com
designates 192.0.2.1 as permitted sender)
receiver=bob.example.org; client_ip=192.0.2.1;
envelope-from=alice@example.com; helo=mailout00.controlledmail.com;
client_ip=192.0.2.1;
the IP address of the SMTP client
57
58. SPF result
Received-SPF: pass (bob.example.org: domain of alice@example.com
designates 192.0.2.1 as permitted sender)
receiver=bob.example.org; client_ip=192.0.2.1;
envelope-from=alice@example.com; helo=mailout00.controlledmail.com;
envelope-from=alice@example.com;
the envelope sender mailbox
58
59. SPF result
Received-SPF: pass (bob.example.org: domain of alice@example.com
designates 192.0.2.1 as permitted sender)
receiver=bob.example.org; client_ip=192.0.2.1;
envelope-from=alice@example.com; helo=mailout00.controlledmail.com;
helo
the host name given in the HELO or EHLO command
59
60. SPF result
2 - Fail (reject)
Received-SPF: fail (bob.example.org: domain of alice@example.com does
not designate 192.0.2.1 as permitted sender)
3 - SoftFail (accept but marked)
Received-SPF: softfail (bob.example.org: domain of transitioning
alice@example.com does not designate 192.0.2.1 as permitted
sender)
60
61. SPF result
4 - Neutral (accept)
Received-SPF: neutral (bob.example.org: 192.0.2.1 is neither permitted
nor denied by domain of alice@example.com)
5 - None (accept)
Received-SPF: none (bob.example.org: domain of alice@example.com does
not designate permitted sender hosts)
61
62. SPF result
6 - PermError (unspecified)
Received-SPF: permerror -extension:foo (bob.example.org: domain of
alice@example.com uses mechanism not recognized by this client)
7 - TempError (accept or reject)
Received-SPF: temperror (bob.example.org: error in processing during
lookup of alice@example.com: DNS timeout)
62
74. How does DKIM work?
1. Author wishes to send an email to a recipient
2. They (their mailing software) calculate a crypto signature
4 that covers the relevant parts of the message using the Private Key.
3. The signature is placed in the email header
4 and the message is then sent normally by the mail server.
4. At any point in travel the signature is validated using the public key.
5. If any part of the message covered by the signature was manipulated
4 the signature won’t validate and the recipient will be alerted.
74
75. How does DKIM work?
4 Public Key Cryptography like SSH
4 Private key v.s. Public key
4 DKIM uses DNS to publish the Public Keys
75
78. DKIM header - Version
v=1
This indicates the DKIM version in use.
78
79. DKIM header - Algorithm
a=rsa-sha256
The algorithm suite that was used to generate the
crypto signature.
Current two specification defines
4 rsa-sha1
4 rsa-sha256
79
80. DKIM header - Canonicalization
c=simple/relaxed
Note that the c= fragment defines two algorithms.
80
86. DKIM header - Header list
h=Message-ID:Date:Subject:From:...
86
87. DKIM header - Data
b=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA=
4 The crypto signature data itself, encoded in Base64
and possibly with whitespace inserted to conform to
line length limitations.
87
88. DKIM results
The possible results for your DKIM test are:
1. Pass
2. Fail
3. None
4. Policy
5. Neutral
6. TempError
7. PermError
88
89. DKIM results - Pass
The message was signed, the signature or signatures
were acceptable, and the signature(s) passed
verification tests.
89
90. DKIM results - Fail
The message was signed and the signature or
signatures were acceptable, but they failed the
verification test(s).
90
92. DKIM results - Policy
The message was signed but the signature or signatures
were not acceptable.
92
93. DKIM results - Neutral
The message was signed but the signature or signatures
contained syntax errors or were not otherwise able to
be processed.
93
94. DKIM results - Temperror
The message could not be verified due to some error
that is likely transient in nature, such as a temporary
inability to retrieve a public key. A later attempt may
produce a final result.
94
95. DKIM results - Permerror
The message could not be verified due to some error
that is unrecoverable, such as a required header field
being absent. A later attempt is unlikely to produce a
final result.
95
108. DMARC record - JCID
Let's look at an example
_dmarc TXT "v=DMARC1;
p=none;
pct=100;
rua=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com;
sp=none;
aspf=r;"
108
109. DMARC record - Version
v=DMARC1
This indicates the DMARC version in use.
109
110. DMARC record - Percentage
pct=100
Percentage of messages subjected to filtering
110
111. DMARC record - Aggregate report
rua=mailto:aggrep@example.com
Reporting URI of aggregate reports
111
112. DMARC record - Failure Reports
ruf=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com
Reporting URI for forensic reports
112
113. DMARC record - Policy
p=none
Policy for domain
4 none
4 quarantine
4 reject
113
114. DMARC record - Sub-domain Policy
sp=none
Sub-domain Policy
114
115. DMARC record - Alignment
adkim=s
Alignment mode for DKIM
- r = relaxed (default)
- s = strict mode
115
116. DMARC record - Alignment
aspf=r
Alignment mode for SPF
- r = relaxed (default)
- s = strict mode
116
132. How to start your own?
4 Deploy SPF & DKIM
4 Publish a DMARC record with the “none” flag set for
the policies (monitor mode)
4 Analyze the data and modify your DMARC policy
4 from “none” to “quarantine” to “reject”
132