The document discusses the importance of combating email spam, focusing on email authentication methods like SPF, DKIM, and DMARC to enhance security and trust. It explains how these protocols work and their configuration, providing examples and potential outcomes of their implementation. Additionally, the text highlights the consequences of phishing and other email-related threats, and offers insights on how to improve email delivery and prevent forgery.

1. Join the fight
Against email spam!
1

2. Why would we this?
4 People waste their time sorting SPAM
4 Lost money by phishing emails
4 banks, creditcards, invoices
4 No trust in their real message
4 Google force you to do!
2

3. Safer Internet Day
February 9, 2016
3

4. 4

5. 5

6. 6

7. Who is sending emails
from there applications?
7

8. Who is running
his own emailserver?
8

9. Who is in charge
of the DNS-records?
9

10. Who recognize
this situation?
10

11. My email
to bob@example.com
has not arrived.
1
Our client(s)
11

12. My email has not arrived..
Lots of reasons
4 The code doesn't send the email
4 The server IP-adres is on the (RBL) blacklist
4 The receiver server doesn't trust your IP-adres
4 The content is marked as SPAM
4 The email policy is not configured or not optimal
12

13. My email has not arrived..
What can we do about it?
4 Check the function of the script
4 Check the server IP-adres on the (RBL) blacklist
4 Submit for removal
4 Checking the email policies [SPF/DKIM]
4 Using email services providers
13

14. How we did it the old days
2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 Warning: "SpamAssassin as theuser detected message as NOT spam (0.0)"
2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm <= maillinglist@domain.com H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 P=esmtps X=TLSv1:AES256-SHA:256 CV=no
S=21778 id=384a86a39e83be0d9b3a94d1feb3119f@domain.com T="Daily Science Maillinglist: Chameleon" from for user@example.com
2016-04-01 05:00:14 [1534] 1Ov4tU-0000Nz-Rm => user F= P= R=virtual_user T=virtual_userdelivery S=21902 QT=6s DT=0s
2016-04-01 05:00:15 [1534] 1Ov4tU-0000Nz-Rm Completed QT=7s
14

15. Email service providers
15

16. 16

17. 17

18. 18

19. 19

20. 20

21. 21

22. 22

23. Email authentication
23

24. Email authentication
1. SPF
2. DKIM
3. DMARC
24

25. SPF
25

26. SPF
Sender Policy Framework
26

27. SPF
4 Created in 2003
4 Which mail servers are used to send mail from your
domain
4 Publish an SPF record in our DNS records
4 Technical method to prevent sender address forgery
27

28. SPF
This technology requires two sides to play together
1. The domain owner, publishing an SPF record
2. The receiving server, checking for domain SPF
records
28

29. SPF
If the message comes from an unknown server, it can be
considered as fake and could be rejected.
29

30. SPF record - JCID
Let's look at an example
jcid.nl. TXT "v=spf1
include:spf.jcid.nl
include:_spf.google.com
include:spf.mandrillapp.com
include:_spf.exactonline.nl
-all"
30

31. SPF record - Emmen PHP
The parts of the SPF record mean the following:
emmenphp.nl. TXT "v=spf1
ip4:37.247.42.172
~all"
4 v=spf1
4 a
4 37.247.42.172
4 ~all
31

32. SPF mechanisms
32

33. SPF mechanisms
4 Domains define zero or more mechanisms.
33

34. SPF mechanisms
all | ip4 | ip6 | a | mx | ptr | exists | include
34

35. SPF mechanisms
Mechanisms can be prefixed with one of four qualifiers:
"+" Pass
"-" Fail
"~" SoftFail
"?" Neutral
35

36. SPF mechanisms
The default qualifier
"+", i.e. "Pass".
36

37. SPF - The "ip4" & "ip6" mechanism
ip4:<ip4-address>
ip4:<ip4-network>/<prefix-length>
ip6:<ip6-address>
ip6:<ip6-network>/<prefix-length>
37

38. SPF - The "ip4" & "ip6" mechanism
"v=spf1 ip4:192.168.0.1/16 -all"
Allow any IP address between 192.168.0.1 and 192.168.255.255.
"v=spf1 ip6:1080::8:800:200C:417A/96 -all"
Allow any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF.
38

39. SPF - The "a" & "mx" mechanism
a
a/<prefix-length>
a:<domain>
a:<domain>/<prefix-length>
mx
mx/<prefix-length>
mx:<domain>
mx:<domain>/<prefix-length>
39

40. SPF - The "include" mechanism
include:<domain>
Example
include:spf.mandrillapp.com
40

41. SPF - The "include" mechanism
Exact Online Example
ip4:xxx.xxx.xxx.xxx ip4:yyy.yyy.yyy.yyy ip4:zzz.zzz.zzz.zzz
41

42. SPF mechanisms
The default qualifier
"+", i.e. "Pass".
42

43. SPF record - The "all" mechanism
emmenphp.nl. TXT "v=spf1
ip4:37.247.42.172
~all"
43

44. SPF -all
44

45. SPF -all
Stopping email forgery
45

46. SPF stats - All domains
SPF -all, 1 November 2016
SPF -all - Stats.
46

47. SPF stats - Domains with SPF record
SPF -all, 1 November 2016
SPF -all - Stats.
47

48. SPF - The "all" mechanism
"v=spf1 mx -all"
48

49. SPF - The "all" mechanism
"v=spf1 -all"
49

50. SPF - The "all" mechanism
"v=spf1 +all"
50

51. SPF results
51

52. SPF results
An SPF record can return any of these results:
1. Pass
------------
2. Fail
3. SoftFail
------------
4. Neutral
5. None
------------
6. PermError
7. TempError
52

53. 53

54. SPF result
1 - Pass (accept)
Received-SPF: pass (bob.example.org: domain of
alice@example.com
designates 192.0.2.1 as permitted sender)
receiver=bob.example.org; client_ip=192.0.2.1;
envelope-from=alice@example.com;
helo=mailout00.controlledmail.com;
54

55. SPF result - Receiver
Received-SPF: pass (bob.example.org: domain of alice@example.com
designates 192.0.2.1 as permitted sender)
receiver=bob.example.org; client_ip=192.0.2.1;
envelope-from=alice@example.com; helo=mailout00.controlledmail.com;
receiver=bob.example.org
the host name of the SPF client
55

56. SPF result
Received-SPF: pass (bob.example.org: domain of alice@example.com
designates 192.0.2.1 as permitted sender)
receiver=bob.example.org; client_ip=192.0.2.1;
envelope-from=alice@example.com; helo=mailout00.controlledmail.com;
client_ip=192.0.2.1;
the IP address of the SMTP client
56

57. SPF result
Received-SPF: pass (bob.example.org: domain of alice@example.com
designates 192.0.2.1 as permitted sender)
receiver=bob.example.org; client_ip=192.0.2.1;
envelope-from=alice@example.com; helo=mailout00.controlledmail.com;
envelope-from=alice@example.com;
the envelope sender mailbox
57

58. SPF result
Received-SPF: pass (bob.example.org: domain of alice@example.com
designates 192.0.2.1 as permitted sender)
receiver=bob.example.org; client_ip=192.0.2.1;
envelope-from=alice@example.com; helo=mailout00.controlledmail.com;
helo
the host name given in the HELO or EHLO command
58

59. SPF result
2 - Fail (reject)
Received-SPF: fail (bob.example.org: domain of alice@example.com does
not designate 192.0.2.1 as permitted sender)
3 - SoftFail (accept but marked)
Received-SPF: softfail (bob.example.org: domain of transitioning
alice@example.com does not designate 192.0.2.1 as permitted
sender)
59

60. SPF result
4 - Neutral (accept)
Received-SPF: neutral (bob.example.org: 192.0.2.1 is neither permitted
nor denied by domain of alice@example.com)
5 - None (accept)
Received-SPF: none (bob.example.org: domain of alice@example.com does
not designate permitted sender hosts)
60

61. SPF result
6 - PermError (unspecified)
Received-SPF: permerror -extension:foo (bob.example.org: domain of
alice@example.com uses mechanism not recognized by this client)
7 - TempError (accept or reject)
Received-SPF: temperror (bob.example.org: error in processing during
lookup of alice@example.com: DNS timeout)
61

62. Recap
62

63. 63

64. DKIM
64

65. DKIM
DomainKey Identified Mail
65

66. DKIM
Digital signature
66

67. Why DKIM?
DKIM is an important authentication mechanism
67

68. DKIM
4 Email receivers
4 Phishing emails (banks, creditcard, invoices)
4 Email senders
4 No trust in their real message
68

69. DKIM
Two proposals took shape, 2005
1. Yahoo’s DomainKeys
2. Cisco’s Identified Internet Mail
69

70. DKIM
Both proposals were based in the use of
“ Public Key Cryptography ”
70

71. DKIM
Mid 2005, the IETF (Internet Engineering Task Force),
submitted the draft “ DomainKeys Identified Mail —
DKIM ” specification.
71

72. How does DKIM work?
72

73. How does DKIM work?
1. Author wishes to send an email to a recipient
2. They (their mailing software) calculate a crypto signature
4 that covers the relevant parts of the message using the Private Key.
3. The signature is placed in the email header
4 and the message is then sent normally by the mail server.
4. At any point in travel the signature is validated using the public key.
5. If any part of the message covered by the signature was manipulated
4 the signature won’t validate and the recipient will be alerted.
73

74. How does DKIM work?
4 Public Key Cryptography like SSH
4 Private key v.s. Public key
4 DKIM uses DNS to publish the Public Keys
74

75. 75

76. DKIM header
DKIM-Signature: v=1;
a=rsa-sha256;
c=simple/relaxed;
d=jcid.nl;
s=mandrill;
t=1399817581;
bh=Pl25…dcMqN+E=;
h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type;
b=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA=
76

77. DKIM header - Version
v=1
This indicates the DKIM version in use.
77

78. DKIM header - Algorithm
a=rsa-sha256
The algorithm suite that was used to generate the
crypto signature.
Current two specification defines
4 rsa-sha1
4 rsa-sha256
78

79. DKIM header - Canonicalization
c=simple/relaxed
Note that the c= fragment defines two algorithms.
79

80. DKIM header - Domain
d=jcid.nl
80

81. DKIM header - Selector
s=mandrill
81

82. DKIM header - Selector
txt:mandrill._domainkey.jcid.nl
v=DKIM1;
k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ
/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt
7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfN
dynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB
82

83. DKIM header - Timestamp
t=1399817581
83

84. DKIM header - Body part
bh=Pl25…dcMqN+E=
84

85. DKIM header - Header list
h=Message-ID:Date:Subject:From:...
85

86. DKIM header - Data
b=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA=
4 The crypto signature data itself, encoded in Base64
and possibly with whitespace inserted to conform to
line length limitations.
86

87. DKIM results
The possible results for your DKIM test are:
1. Pass
2. Fail
3. None
4. Policy
5. Neutral
6. TempError
7. PermError
87

88. DKIM results - Pass
The message was signed, the signature or signatures
were acceptable, and the signature(s) passed
verification tests.
88

89. DKIM results - Fail
The message was signed and the signature or
signatures were acceptable, but they failed the
verification test(s).
89

90. DKIM results - None
The message was not signed
90

91. DKIM results - Policy
The message was signed but the signature or signatures
were not acceptable.
91

92. DKIM results - Neutral
The message was signed but the signature or signatures
contained syntax errors or were not otherwise able to
be processed.
92

93. DKIM results - Temperror
The message could not be verified due to some error
that is likely transient in nature, such as a temporary
inability to retrieve a public key. A later attempt may
produce a final result.
93

94. DKIM results - Permerror
The message could not be verified due to some error
that is unrecoverable, such as a required header field
being absent. A later attempt is unlikely to produce a
final result.
94

95. MoneyBird - SPAM
95

96. MoneyBird - Inbox
96

97. Cal Evans
97

98. Recap
98

99. 99

100. DMARC
100

101. DMARC
Domain-based Message Authentication,
Reporting & Conformance
101

102. DMARC
4 Created in 2007 by PayPal, and Yahoo!
4 Later Gmail joined
102

103. What is DMARC
103

104. What is DMARC
Remove the guesswork
104

105. What is DMARC
Report back to the sender
105

106. 106

107. DMARC record - JCID
Let's look at an example
_dmarc TXT "v=DMARC1;
p=none;
pct=100;
rua=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com;
sp=none;
aspf=r;"
107

108. DMARC record - Version
v=DMARC1
This indicates the DMARC version in use.
108

109. DMARC record - Percentage
pct=100
Percentage of messages subjected to filtering
109

110. DMARC record - Aggregate report
rua=mailto:aggregate-report@example.com
Reporting URI of aggregate reports
110

111. DMARC record - Failure Reports
ruf=mailto:failure-reports@example.com
Reporting URI for forensic reports
111

112. DMARC record - Policy
p=none
Policy for domain
4 none
4 quarantine
4 reject
112

113. DMARC record - Sub-domain Policy
sp=none
Sub-domain Policy
113

114. DMARC record - Alignment
adkim=s
Alignment mode for DKIM
- r = relaxed (default)
- s = strict mode
114

115. DMARC record - Alignment
aspf=r
Alignment mode for SPF
- r = relaxed (default)
- s = strict mode
115

116. Recap
116

117. 117

118. DMARC
Aggregate report
118

119. DMARC
ZIP file
google.com!jcid.nl!1455062400!1455148799.zip
with XML aggregate report
google.com!jcid.nl!1455062400!1455148799.xml
119

120. DMARC report
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>4151131448954607551</report_id>
<date_range>
<begin>1455062400</begin>
<end>1455148799</end>
</date_range>
</report_metadata>
<policy_published>
<domain>jcid.nl</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>31.3.97.173</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.prod.jcid.nl</header_from>
</identifiers>
<auth_results>
<spf>
<domain>example.prod.jcid.nl</domain>
<result>none</result>
</spf>
</auth_results>
</record>
</feedback>
120

121. DMARC report
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>4151131448954607551</report_id>
<date_range>
<begin>1455062400</begin>
<end>1455148799</end>
</date_range>
</report_metadata>
</feedback>
121

122. DMARC report
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<policy_published>
<domain>jcid.nl</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
</feedback>
122

123. DMARC report
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<record>
<row>
<source_ip>31.3.97.173</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.prod.jcid.nl</header_from>
</identifiers>
<auth_results>
<spf>
<domain>example.prod.jcid.nl</domain>
<result>none</result>
</spf>
</auth_results>
</record>
</feedback>
123

124. DMARC report
I'm in control
124

125. DMARC - Tools
1. Postmark App
2. Dmarcian
125

126. Postmark DMARC monitor
126

127. 127

128. Dmarcian
128

129. 129

130. Overview DNS records JCID
SPF
@ TXT v=spf1 include:spf.jcid.nl include:_spf.google.com include:spf.mandrillapp.com include:_spf.exactonline.nl -all
DKIM
google._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+w63i8quIsOR09AfNup5pyt/jsSmKo/iQnOkT8EI1LOn6daR1GqR+5...
mandrill._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8N...
DMARC
_dmarc TXT v=DMARC1; p=none; pct=100; rua=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com; sp=none; aspf=r;
130

131. How to start your own?
4 Deploy SPF & DKIM
4 Publish a DMARC record with the “none” flag set for
the policies (monitor mode)
4 Analyze the data and modify your DMARC policy
4 from “none” to “quarantine” to “reject”
131

132. Any questions
About the theory?
132

133. MXToolbox
133

134. 134

135. 135

136. 136

137. 137

138. Delivered-To: jeffrey@jcid.nl
Received: by 10.194.157.102 with SMTP id wl6csp186952wjb;
Fri, 26 Aug 2016 02:33:43 -0700 (PDT)
X-Received: by 10.55.120.195 with SMTP id t186mr2016594qkc.118.1472204023376;
Fri, 26 Aug 2016 02:33:43 -0700 (PDT)
Return-Path: <martynminnis@gmail.com>
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com. [2607:f8b0:400d:c0d::22a])
by mx.google.com with ESMTPS id u126si7830854qkf.92.2016.08.26.02.33.43
for <jeffrey@jcid.nl>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 26 Aug 2016 02:33:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of martynminnis@gmail.com designates 2607:f8b0:400d:c0d::22a as permitted sender) client-ip=2607:f8b0:400d:c0d::22a;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com;
spf=pass (google.com: domain of martynminnis@gmail.com designates 2607:f8b0:400d:c0d::22a as permitted sender) smtp.mailfrom=martynminnis@gmail.com;
dmarc=pass (p=NONE dis=NONE) header.from=gmail.com
Received: by mail-qt0-x22a.google.com with SMTP id u25so35076163qtb.1
for <jeffrey@jcid.nl>; Fri, 26 Aug 2016 02:33:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:from:date:message-id:subject:to;
bh=Kq6G9vieA14XMBGjPWOQiNs68KLd8OmUbmtlbrM4Oqk=;
b=w8wBPP18htjzrPTh82kQttpVKLoEbgCTkMuBkhAzwHmOJIrDv4FwXonYO7ERv0fOg9
t2A0Kia+9NISRHS5X8HTUdJz50PE7YMOE0le34QZ320cjbdb1AYcFE4VJ+499XJ9nVEg
OodIcjlqtPTUwhnF+RJc8D7O8Rfr3ZhBBB9d7cdCtVxpljB+nNEErbWyRYREHEK0hczd
Rf2b1FG2N1iKiXV0DuSF/rjnxHcQAhxRojiYuRkuKPYHADcQezwJVbLPbYjmYNrEaLlD
OZeOiov5co25DZs9Lf6HfEQ0qWVgmzt9jDJaBTzzpweWjMpS7L5cDAgfiH4zuXCLt8CZ
IZ3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=Kq6G9vieA14XMBGjPWOQiNs68KLd8OmUbmtlbrM4Oqk=;
b=VnjcGHkQIBznyNC9OhUhs9OJj9qhS8WdQ9zK2dqQiVyZ6/rC28SWeV5XNr1iQT/FNp
qyTaunNDplNrVrlnkl+NSxWiGNH10se5nVVbJ7ArSSAkoGRQwo+CfxoIbwU9CVVeNNpL
l01B5DFSeom7pL9lUpr7n6trxKg11vUXbIAp/DYbhRTc0LBU4VI8T4w+PBKdnV2Hvzai
oRUIrz9f/ykGV4bmpktOAFhKCZoYpL3tKJ65BpV/f9bp/aOFTx0azHUjZ31GtfS7z2Mc
DmWdfoLtkcriTnpDPCHxzKrLkS/dyN9hCFSYfyBwe6SgnvUqzKmYRME2jDf5pcGdHtDd
dJmw==
X-Gm-Message-State: AE9vXwOuiQZPoxCvQafsQevD9jy8ypQcaPZipkQnyeANw4f5dVvaU4jmBXgj1S6YxNvjp9jmDRESpEEq+Qscwg==
X-Received: by 10.200.43.105 with SMTP id 38mr2091543qtv.73.1472204022848; Fri, 26 Aug 2016 02:33:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.237.43.163 with HTTP; Fri, 26 Aug 2016 02:33:42 -0700 (PDT)
From: Martijn Minnis <martynminnis@gmail.com>
Date: Fri, 26 Aug 2016 11:33:42 +0200
Message-ID: <CABe801A=t8StMzGqpWcut8uWAbfnopVP63nDi5g+Nq7n0cTz3A@mail.gmail.com>
Subject: EmmenPHP - looking for speakers
To: jeffrey@jcid.nl
Content-Type: multipart/alternative; boundary=001a113d00a6d1a568053af6359c
138

139. 139

140. 140

141. Mail tester
141

142. 142

143. 143

144. The practice
Domains from the audience
144

145. Thank you!
145

146. Jeffrey Cafferata
Twitter handle: @jcid
146

147. SPF and email forwarding
4 SRS: Sender Rewriting Scheme
147

148. Diff SPF / Sender ID
148

149. Diff DKIM / Identified Internet Mail
Yahoo’s DomainKeys and Cisco’s Identified Internet Mail
149

150. Bronnen
150

151. Google, 9th February 2016
Google Security - Internet-wide efforts to fight email phishing are working.
By Elie Bursztein, Gmail anti-abuse research lead and Vijay Eranti, Gmail anti-abuse technical lead
151