DMARC is a SMTP security standard being increasingly requested by customers to protect against email spoofing. It uses a combination of SPF (Sender Policy Framework) records and DKIM (DomainKeys Identified Mail). Using DMARC you would publicly specify how your outbound mail is sent and the receiving server would verify that the mail it receives matches your requirements. In this session we’ll discuss DMARC deployments and what to do if your mail server (like IBM Domino or SmartCloud) does not yet support DKIM?
Presented at Collabsphere 2018 in Ann Arbor, MI
3. Gab Davis
✤ Admin of all things and especially quite complicated
things where the fun is
✤ Working with the design, deployment and security of IBM
technologies within global infrastructures
✤ working with the real world security and privacy aspects
of expanding data ecosystems
✤ Stubborn and relentless problem solver
✤ http://turtleblog.infohttps://www.turtlepartnership.com
✤ IBM Lifetime Champion
5. Relaying
✤ Using Your Servers
✤ Routing mail through “good” servers that are owned by a company gives “bad” mail validity
✤ Properly configured servers stop that happening
✤ It takes only a few poor configured servers to successfully route millions of emails
✤ This is an administrative not a user problem
✤ It doesn’t hurt your users who don’t receive the mail
✤ It does cause bottlenecks on your servers trying to send mail
✤ Receiving hosts are often designed to check that the claimed sending domain matches the address header
✤ It can result in your servers being blacklisted and not being able to send mail
6. Blacklists
My SMTP host listening on port
25/465 for any mail SMTP mail
not just for my domain:
turtleweb.com
My SMTP host listening on port
25/465 for any mail SMTP mail
not just for my domain:
turtleweb.com
Spam Generating Server
domain: fakemail.com
Scans for any open listening host
which will accept mail not for their
own domain
Domain being spammed
domain: rivers.com
Carries the return_path in the message header
7. Preventing and Protecting Relaying
✤ Lock down servers to only accept mail for your own domains
✤ Use an edge service to verify valid domains
✤ Use SPF records
✤ These define the identities of servers sending mail from your domains
✤ Receiving servers can check if the domain in the message header has an SPF record for the
connecting server
✤ Many receiving domains and servers do not accept mail without SPF validation now
✤ SPF records are no longer enough
8. SPF
gab@turtleweb.com
creates email to
tim@gmail.com
turtleweb.com SMTP Server
ip: mail.turtleinfo.net gmail.com SMTP listener
turtleweb.com DNS Record
SPF Entry
turtleweb.com. IN TXT "v=spf1 mx a
ip4:79.99.66.142 a:mail.turtleinfo.net”
gmail checks SPF record in DNS
to verify if the sending server is approved
9. Phishing
✤ Phishing - collecting personal information voluntarily from the user
✤ Phishing scams can use spoofing techniques in order to seem more genuine to the user
✤ Over 30% of phishing emails are opened
✤ Phishing can often be combined with spoofing to give the request more authenticity
but the goal is to gather information
✤ the goal of spoofing is usually to deliver a malicious payload
✤ Preventing phishing should simply be a case of user awareness
10. Why Don’tTheseTechniquesWork
✤ Technical solutions do work if deployed rigidly, however:
✤ Mail systems are often complex
✤ If I want a user to send mail via my SMTP server, I can’t relay check
✤ The risk of rejecting valid mail is greater than the risk of accepting
fraudulent mail
✤ People I want to receive email from often haven’t set up their own SPF
records
11. UserTraining Isn’t Enough
✤ Phishing increasingly relies on sophisticated social engineering designed to
win trust
✤ Users are aware of risk so the mails have become more sophisticated
✤ The iOS problem
✤ Verbal verification is not always possible
✤ We need better ways of validating the source of mail before it reaches the user
and becomes their responsibility
12. Content Filtering
✤ Edge services specifically designed to check content
✤ estimates put the % of spam to around 90% of received mail
✤ Filtering has moved from checking for certain words or phrases to checking
message structure
✤ it didn’t take long for spammers to work out how to fool word filters
14. DMARC
✤ Domain Message Authentication Reporting and Conformance
✤ created by Google, Paypal, Microsoft and Yahoo
✤ A combination of processes and policies that provide both validation of
messages and reporting of fraudulent attempts
✤ These include SPF, content scanning, and DKIM
✤ DMARC policies tell the receiver what to do with non-validated messages,
resulting in useful data returned to the sender
15. SPF
gab@turtleweb.com
creates email to
tim@gmail.com
turtleweb.com SMTP Server
ip: mail.turtleinfo.net gmail.com SMTP listener
turtleweb.com DNS Record
SPF Entry
turtleweb.com. IN TXT "v=spf1 mx a
ip4:79.99.66.142 a:mail.turtleinfo.net”
gmail checks SPF record in DNS
to verify if the sending server is approved
16. DKIM - DomainKeys Identified Mail (simplified)
✤ A public/private key pair used to process every sending message
✤ DKIM ensures the receiving server that the message is valid and has not been tampered with
turtleweb.com sending server
creates a hash using its private key containing
both my sending address and the subject and
attaches it to the message header before
sending
gmail.com receiving server
decrypts the hash using the public key to
verify it is both correct and unchanged before
delivering the mail to tim
DNS
turtleweb.com's DNS record contains the public key used by
mail.turtleweb.com to encrypt “sender and subject”
sends an email
to tim@gmail.com
17. DMARC Policies
✤ Faked mail appears and disappears often without the genuine domain owner knowing
✤ most systems just bounce, delete or quarantine the messages
✤ without knowing the scale of faked mail or even that someone is impersonating my company how can I
stop it?
✤ DMARC configuration has two parts
✤ telling the receiving server what to do with non genuine mail
✤ telling the receiving server where to send summary reports of non genuine mail
✤ DMARC deployed correctly allows us to both pre-emptively manage faked mail and have visibility of its
existence
19. Constructing SPF Records
✤ Several sites help you construct your SPF records including
✤ spfwizard.net and mxtoolbox.com
✤ If you are unsure of the syntax, use one of these sites
✤ Mail failing a SPF check is then tagged
✤ Fail - resulting in non delivery
✤ Softfail - increased likelihood of being tagged as spam
✤ Neutral - ignore failure
20. Deploying DKIM
✤ The sending mail server must support DKIM encryption
✤ If it doesn’t then you will either have to install a DKIM custom package or route mail through a server
that does support it
✤ Some DKIM mail services http://dkim.org/deploy/index.html
✤ The inbound server must support DKIM decryption
✤ many edge mail services do (postini, proofpoint, barracuda, O365 etc)
✤ IBM have a tech request open from 2011 for DKIM but there isn’t enough demand for it in Domino
(especially now).
✤ If you’re interested the SPR is JFBM7ELEQY
21. Creating A DKIM Record
✤ Use OpenSSL or a site such as
✤ https://www.socketlabs.com/domainkey-dkim-generation-wizard
✤ https://www.port25.com/dkim-wizard
✤ Store the generated public key in a TXT record in your domain
✤ Configure the DKIM package or enabled server to use the private key
22. DMARC Planning
✤ Enabling DMARC takes a significant amount of planning and testing
✤ The point of DMARC is to tell receiving servers to reject, delete or deliver your mail
✤ configured incorrectly it can result in all your sent mail disappearing
✤ Start with test domains!
✤ Start with reporting-only policies
✤ Ensure you have an email address / mailbox configured for the DMARC reports
✤ These will tell you if someone is sending mail as your domain that don’t meet your SPF and DKIM
settings
23. DMARC Deployment
✤ Use a DMARC wizard such as https://mxtoolbox.com/DMARCRecordGenerator.aspx or https://
www.unlocktheinbox.com/dmarcwizard/ to review your options and create the right syntax
✤ DMARC questions include:
✤ How do you want mail that fails DMARC to be treated by the recipient?
✤ Where do you want your aggregate reports sent to?
✤ Do you want forensic (individual) reports generated on specific failures such as SPF or DKIM
✤ Zone file TXT entry
✤ "v=DMARC1; p=none; sp=none; rua=mailto:dmarcreport@turtleweb.com;
ruf=mailto:dmarcanalysis@turtleweb.com; rf=afrf; pct=100; ri=86400”
24. DMARC and Domino
✤ Domino doesn’t support
✤ SPF checking
✤ DKIM key encryption
✤ DKIM decryption
✤ It’s unlikely to do so
✤ Edge services do support both SPF checking and DKIM encryption
✤ For DKIM encryption outbound, Domino mail can be routed through a SMTP relay with an installed DKIM package
✤ or someone could write a DKIM add in for Domino
25. DMARCWithout DKIM
✤ It’s possible to deploy DMARC records that only have rules for SPF not DKIM
✤ Why would you do that?
✤ To get analysis reports on sent mail behaviour (example from dmarc.org)
28. Summary
✤ Email isn’t going away
✤ DMARC isn’t a single solution, it’s a combination of technical tools and processes
✤ Many of the technical tools have been around for years including SPF, Reverse DNS and DKIM
✤ but not deployed widely as being too complex
✤ We have to take more responsibility for protecting people from sophisticated phishing attempts
not just from content
✤ DMARC is increasingly being required by receiving servers wanting to protect their customers
but it can also help you identify your threat level