2
3
Additional Benefits of DMARC
• Inbox Protection on the Consumer side: • DMARC Verification, not policy• 80 percent of the current total number of worldwide email accounts
(source: Valimail).
• Deliverability
• Visibility: Provides insight into attempts to spam, phish, or even spear-phish using your organization’s brand/name
4
• Protects against Domain spoofing ([email protected])
• Create policy for all public domains
DMARC con’t
4
Overview
1
23 4
5
6
7
6
• Basic:Host: _dmarcValue: v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:<email address>;
• Complex:Host: _dmarcValue: v=DMARC1; p=none; rua=mailto:[email protected];ruf=mailto:<email address>; fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=reject;
DMARC DNS TXT Record
7
What do each of the tags mean?
Required:• v=DMARC1 - version• p= - policy level• rua= - aggregate reports
Recommended:• ruf= - forensic/failure reports
Consider using• sp= - sub-domain policy
Optional Tags:• fo= send message samples of
emails that failed either SPF and/or DKIM.
• adkim= Alignment mode for DKIM
• aspf= Alignment mode for SPF• pct= - % of messages impacted • rf= - report format• ri= - reporting intervals
8
Proper Implementation
DMARC implementation requires Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) in order to work
• SPF is used to define which mail servers are authorized to send mail• DKIM is used to add a digital signature for an additional layer to
authenticate the sender
9
SPF
• use –all or ~all• Can only can one record• Flattening vs Dynamic (instant) SPF
• 10 domain lookup issue
• Alignment vs Verification
9
10
SPF AlignmentGood:From: [email protected]: <[email protected]> Received-SPF: pass (google.com: domain of [email protected] designates 2607:f8b0:4864:20::d34 as permitted sender) client-ip=2607:f8b0:4864:20::d34;
Fail:From: [email protected]: < [email protected] > Received-SPF: pass (google.com: domain of [email protected] designates 205.201.133.58 as permitted sender) client-ip=205.201.133.58;
To achieve a passing SPF alignment, the From: header domain must match the domain used to authenticate SPF (e.g., envelope “mail from:” “return-path” domain).
11
DKIM
• Protect private key• Publish public key• Can have more than one record• CNAME or TXT• Use if using cloud service provider• Alignment vs Verification
11
1212
Message Header:DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalcyberalliance.org; s=gca; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc;
DKIM Alignment
13
DNS Implementation
DMARC• One record per domain
SPF• One record per domain• hostname set to @, null or blank
DKIM• Multiple records per domain• must start with <selector>._domainkey.
Linux• check for $ORIGIN <domain>• requires quotation marks
All DNS• may not need FQDN• may not need quotation marks
14
DMARC Reports
• DMARC generates two types of reports:• Aggregate (rua)• Forensic (ruf)
• Reports sent in XML format to email of choice (can be sent to multiple addresses)• Number and length of reports is dependent on amount of email sent• Reports will provide insight as to which messages were marked as suspicious• Allows for IT staff to correct any issues with valid messages being dropped by the
policy
15
Sample Aggregate Report
<?xml version="1.0" encoding="UTF-8" ?><feedback><report_metadata><org_name>google.com</org_name><email>[email protected]</email><extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info><report_id>6156901232184779430</report_id><date_range><begin>1466121600</begin><end>1466207999</end>
</date_range></report_metadata><policy_published><domain>globalcyberalliance.org</domain><adkim>r</adkim><aspf>r</aspf><p>quarantine</p><sp>quarantine</sp><pct>100</pct>
</policy_published><record><row><source_ip>2607:f8b0:4001:c0b::22f</source_ip><count>2</count><policy_evaluated><disposition>none</disposition><dkim>pass</dkim><spf>pass</spf>
</policy_evaluated></row><identifiers><header_from>globalcyberalliance.org</header_from>
</identifiers><auth_results><dkim><domain>globalcyberalliance.org</domain><result>pass</result>
</dkim><spf><domain>globalcyberalliance.org</domain><result>pass</result>
</spf></auth_results>
</record>
16
Aggregate Reports
17
What to look for
DKIM Issues
Possible Spoofing
DKIM and SPF Issues
18
DMARC Service Providers
19
“Free” Options• UK National Cyber Security Centre - https://github.com/ukncsc/mail-check• St. Louis County - https://github.com/wwalker0307/ElasticMARC• Valimail Monitor• Github DMARC parse (search)
• XML to Human Converters (best if small number of reports are received) • Dmarcian - XML Uploader
• DMARC analyzers (limited capabilities)• Postmark - https://dmarc.postmarkapp.com/• MXTOOLBOX - https://mxtoolbox.com/dmarcsetup
• 3rd Party tools• LinkedIn LaFayette - https://github.com/linkedin/lafayette/• SendGrid DMARC Parser - https://github.com/thinkingserious/sendgrid-python-dmarc-parser• Yahoo’s DMARC Report Processor - https://github.com/prbinu/dmarc-report-processor
• Additional resources are available on DMARC.org’s Code and Library page
20
• Review reports• Adjust SPF and DKIM as needed
• Apply p=reject to all public domains not used for email
• Move to Quarantine/Reject• Continue to review reports• Adjust SPF and DKIM as needed when new mail services are added.
• Consider using additional email authentication mechanisms
• GCA domain take down project - [email protected]
What Next?
21source: https://medium.com/@ykhan30/an-easy-win-for-email-security-2b84ac2a22da
22
ARC
• Authenticated Received Chain• “preserves email authentication results across subsequent
intermediaries (“hops”) that may modify the message”• http://arc-spec.org
• Used on Mail forwarders or Mail List servers• RFC 8617• Tools: OpenARC
(https://github.com/trusteddomainproject/OpenARC/releases)
23
BIMI
• Brand Indicators for Message Identification• Requires DMARC policy of reject or quarantine• DNS TXT record
hostname: default._bimi.value: “v=BIMI1; l=<location of image file>;”
• Image file must be a SVG file• Reference:
• http://bimigroup.org/• https://bimi.agari.com/
24
Other Email Authentication
• DANE (RFC6698)• DNS-Based Authentication of Named Entities• requires DNSSEC
• MTA-STS• requires valid SSL cert
• TLS-RPT
25
Final Items
• Survey
• Certification of Completion
26
Resources
• DMARC.org (http://www.dmarc.org) - Great source for DMARC information
• GCA DMARC - https://dmarc.globalcyberalliance.org• Webinar is available on this site
• GCA YouTube Channel• Webinar• Videos for GCA DMARC Setup Guide
• Community Forum – https://community.globalcyberalliance.org
• Bootcamp Resource page - https://dmarc.globalcyberalliance.org/dmarc-bootcamp/
27
GCA Projects
• Cyber Security Toolkit (gcatoolkit.org)• AIDE (gcaaide.org)
Q & A