Presented at Social Connections 13 in Philadelphia April 2018.
DMARC is a SMTP security standard being increasingly requested by customers to protect against email spoofing. It uses a combination of SPF (Sender Policy Framework) records and DKIM (DomainKeys Identified Mail). Using DMARC you would publicly specify how your outbound mail is sent and the receiving server would verify that the mail it receives matches your requirements. In this session we’ll discuss DMARC deployments and what to do if your mail server (like IBM Domino or SmartCloud) does not yet support DKIM?
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
An Introduction To The DMARC SMTP Validation Requirements
1. Philadelphia, April 26-27 2018
13
Understanding DMARC
Gabriella Davis - IBM Lifetime Champion for Social Business
Technical Director
The Turtle Partnership
2. Gab Davis
• Admin of all things and especially quite complicated
things where the fun is
• Working with the design, deployment and security of
IBM technologies within global infrastructures
• working with the real world security and privacy
aspects of expanding data ecosystems
• Stubborn and relentless problem solver
• http://turtleblog.infohttps://
www.turtlepartnership.com
• IBM Lifetime Champion
5. Social Connections 13 Philadelphia, April 26-27 2018
Relaying
• Using Your Servers
• Routing mail through “good” servers that are owned by a company gives “bad”
mail validity
• Properly configured servers stop that happening
• It takes only a few poor configured servers to successfully route millions of emails
• This is an administrative not a user problem
• It doesn’t hurt your users who don’t receive the mail
• It does cause bottlenecks on your servers trying to send mail
• Receiving hosts are often designed to check that the claimed sending domain matches
the address header
• It can result in your servers being blacklisted and not being able to send mail
6. Social Connections 13 Philadelphia, April 26-27 2018
Blacklists
My SMTP host listening on port
25/465 for any mail SMTP mail not
just for my domain: turtleweb.com
My SMTP host listening on port
25/465 for any mail SMTP mail not
just for my domain: turtleweb.com
Spam Generating Server
domain: fakemail.com
Scans for any open listening host which
will accept mail not for their own
domain
Domain being spammed
domain: rivers.com
Carries the return_path in the message header
7. Social Connections 13 Philadelphia, April 26-27 2018
Preventing and Protecting Relaying
• Lock down servers to only accept mail for your own domains
• Use an edge service to verify valid domains
• Use SPF records
• These define the identities of servers sending mail from your
domains
• Receiving servers can check if the domain in the message
header has an SPF record for the connecting server
• Many receiving domains and servers do not accept mail without SPF
validation now
• SPF records are no longer enough
8. Social Connections 13 Philadelphia, April 26-27 2018
SPF
gab@turtleweb.com
creates email to
tim@gmail.com
turtleweb.com SMTP Server
ip: mail.turtleinfo.net gmail.com SMTP listener
turtleweb.com DNS Record
SPF Entry
turtleweb.com. IN TXT "v=spf1 mx a ip4:79.99.66.142
a:mail.turtleinfo.net”
gmail checks SPF record in DNS
to verify if the sending server is approved
9. Social Connections 13 Philadelphia, April 26-27 2018
Phishing
• Phishing - collecting personal information voluntarily from the
user
• Phishing scams can use spoofing techniques in order to seem
more genuine to the user
• Over 30% of phishing emails are opened
• Phishing can often be combined with spoofing to give the
request more authenticity but the goal is to gather information
• the goal of spoofing is usually to deliver a malicious payload
• Preventing phishing should simply be a case of user awareness
10. Social Connections 13 Philadelphia, April 26-27 2018
Why Don’t These Techniques Work
• Technical solutions do work if deployed rigidly, however:
• Mail systems are often complex
• If I want a user to send mail via my SMTP server, I can’t relay
check
• The risk of rejecting valid mail is greater than the risk of accepting
fraudulent mail
• People I want to receive email from often haven’t set up their own
SPF records
11. Social Connections 13 Philadelphia, April 26-27 2018
User Training Isn’t Enough
• Phishing increasingly relies on sophisticated social
engineering designed to win trust
• Users are aware of risk so the mails have become more
sophisticated
• The iOS problem
• Verbal verification is not always possible
• We need better ways of validating the source of mail
before it reaches the user and becomes their responsibility
12. Social Connections 13 Philadelphia, April 26-27 2018
Content Filtering
• Edge services specifically designed to check content
• estimates put the % of spam to around 90% of
received mail
• Filtering has moved from checking for certain words
or phrases to checking message structure
• it didn’t take long for spammers to work out how
to fool word filters
14. Social Connections 13 Philadelphia, April 26-27 2018
DMARC
• Domain Message Authentication Reporting and Conformance
• created by Google, Paypal, Microsoft and Yahoo
• A combination of processes and policies that provide both
validation of messages and reporting of fraudulent attempts
• These include SPF, content scanning, and DKIM
• DMARC policies tell the receiver what to do with non-
validated messages, resulting in useful data returned to
the sender
15. Social Connections 13 Philadelphia, April 26-27 2018
SPF
gab@turtleweb.com
creates email to
tim@gmail.com
turtleweb.com SMTP Server
ip: mail.turtleinfo.net gmail.com SMTP listener
turtleweb.com DNS Record
SPF Entry
turtleweb.com. IN TXT "v=spf1 mx a ip4:79.99.66.142
a:mail.turtleinfo.net”
gmail checks SPF record in DNS
to verify if the sending server is approved
16. Social Connections 13 Philadelphia, April 26-27 2018
DKIM - DomainKeys Identified Mail (simplified)
• A public/private key pair used to process every sending message
• DKIM ensures the receiving server that the message is valid and has not
been tampered with
turtleweb.com sending server
creates a hash using its private key containing
both my sending address and the subject and
attaches it to the message header before sending
gmail.com receiving server
decrypts the hash using the public key to verify it
is both correct and unchanged before delivering
the mail to tim
DNS
turtleweb.com's DNS record contains the public key used by
mail.turtleweb.com to encrypt “sender and subject”
sends an email
to tim@gmail.com
17. Social Connections 13 Philadelphia, April 26-27 2018
DMARC Policies
• Faked mail appears and disappears often without the genuine domain owner
knowing
• most systems just bounce, delete or quarantine the messages
• without knowing the scale of faked mail or even that someone is
impersonating my company how can I stop it?
• DMARC configuration has two parts
• telling the receiving server what to do with non genuine mail
• telling the receiving server where to send summary reports of non genuine
mail
• DMARC deployed correctly allows us to both pre-emptively manage faked mail
and have visibility of its existence
19. Social Connections 13 Philadelphia, April 26-27 2018
Constructing SPF Records
• Several sites help you construct your SPF records
including
• spfwizard.net and mxtoolbox.com
• If you are unsure of the syntax, use one of these sites
• Mail failing a SPF check is then tagged
• Fail - resulting in non delivery
• Softfail - increased likelihood of being tagged as spam
• Neutral - ignore failure
20. Social Connections 13 Philadelphia, April 26-27 2018
Deploying DKIM
• The sending mail server must support DKIM encryption
• If it doesn’t then you will either have to install a DKIM custom package or route
mail through a server that does support it
• http://dkim.org/deploy/index.html
• The inbound server must support DKIM decryption
• most edge mail services do
• Use OpenSSL or a site such as
• https://www.socketlabs.com/domainkey-dkim-generation-wizard
• https://www.port25.com/dkim-wizard
• Store the generated public key in a TXT record in your domain
• Configure the DKIM package or enabled server to use the private key
21. Social Connections 13 Philadelphia, April 26-27 2018
DMARC Planning
• Enabling DMARC takes a significant amount of planning and testing
• The point of DMARC is to tell receiving servers to reject, delete or
deliver your mail
• configured incorrectly it can result in all your sent mail disappearing
• Start with test domains!
• Start with reporting-only policies
• Ensure you have an email address / mailbox configured for the
DMARC reports
• These will tell you if someone is sending mail as your domain that
don’t meet your SPF and DKIM settings
22. Social Connections 13 Philadelphia, April 26-27 2018
DMARC Deployment
• Use a DMARC wizard such as https://mxtoolbox.com/
DMARCRecordGenerator.aspx or https://www.unlocktheinbox.com/
dmarcwizard/ to review your options and create the right syntax
• DMARC questions include:
• How do you want mail that fails DMARC to be treated by the recipient?
• Where do you want your aggregate reports sent to?
• Do you want forensic (individual) reports generated on specific failures
such as SPF or DKIM
• Zone file TXT entry
• "v=DMARC1; p=none; sp=none; rua=mailto:dmarcreport@turtleweb.com;
ruf=mailto:dmarcanalysis@turtleweb.com; rf=afrf; pct=100; ri=86400”
23. Social Connections 13 Philadelphia, April 26-27 2018
DMARC and Domino
• Domino doesn’t support
• SPF checking
• DKIM key encryption
• DKIM decryption
• It’s unlikely to do so
• Edge services do support both SPF checking and DKIM encryption
• For DKIM encryption outbound, Domino mail can be routed
through a SMTP relay with an installed DKIM package
• or someone could write a DKIM add in for Domino
24. Social Connections 13 Philadelphia, April 26-27 2018
Summary
• Email isn’t going away
• DMARC isn’t a single solution, it’s a combination of technical tools
and processes
• Many of the technical tools have been around for years including
SPF, Reverse DNS and DKIM
• but not deployed widely as being too complex
• We have to take more responsibility for protecting people from
sophisticated phishing attempts not just from content
• DMARC is increasingly being required by receiving servers wanting to
protect their customers