week 2- spf and dkim · 2019. 9. 19. · [email protected] designates...
TRANSCRIPT
-
Shehzad MirzaDirector of Operations
[email protected]@globalcyberalliance.org
Bootcamp
-
2
• Weeks 1-2: Getting Started• Bootcamp Introduction and DMARC Overview• Overview of DMARC, SPF and DKIM
• Weeks 3-4: Time to Implement!• Demonstrations on how to implement DMARC on Windows DNS, BIND and a
Cloud-based DNS Provider.• Participants should implement DMARC during these weeks
• Weeks 5-6: On Going Management: Analyze, Review and Adjust• What to look for in DMARC reports and what needs to be adjusted before
moving to an enforcement policy2
Bootcamp Plan and upcoming Webinars
-
3
Bootcamp Resources
• Community Forum – community.globalcyberalliance.org• Bootcamp resource page - dmarc.globalcyberalliance.org/dmarc-
bootcamp/
https://community.globalcyberalliance.org/https://dmarc.globalcyberalliance.org/dmarc-bootcamp/
-
4
Introduction to SPF and DKIM
-
Sender Policy Framework(SPF)
-
6
SPF Sender Policy Framework
• Defines which mail servers are authorized to send mail for the organization’s domain
• uses the “envelope from” to determine the sending domain
• TXT record on Domain Name Server (DNS)• Can only have one SPF record
-
7
SPF
-
8
• Basic:Name: or @ or leave blankValue: "v=spf1 mx -all"
• Complex:Name:
Value: "v=spf1 mx a: include: ip4: ~all"
SPF DNS TXT Record
-
9
SPF Tags
v=spf1 The TXT record will always begin with this. This defines the version of SPF being used. Currently SPF version 1 is the only available version
mx If this is included, then the incoming mail servers (MXes) of the domain are authorized to also send mail for that domain
a: This part should only be included if there are other systems, other than the mail servers, authorized to send mail for the domain.
include:
Everything considered legitimate by a trusted external domain is legitimate for the organization’s domain.
ipv4:ipv6: This should be used if only IP addresses are available
-
10
SPF Tag (con’t)
ptr• Use the source-ip's PTR and a reverse map
queryexists
• The existence (any valid A record) of the specified domain allows the test to pass
redirect• Redirects verification to use the SPF
records of the defined domainexp
• defines a DNS name whose TXT record's text may be returned with any failure message
• must be at end of policyMacro-expressions - complex and confusing
-
11
• -all – Hard Fail• only the domain’s mail servers (and those in the
‘a’ and ‘include’ sections) are allowed to send mail for the domain. All other are prohibited.
• ~all – Soft Fail• if email is from a server not on the policy, the
message is still accepted but marked as non compliant.
• ?all• explicitly that nothing can be said about validity.
• +all• means that any host can send mail for the
domain. This should never be used.
SPF ‘all’ tag
-
1212
• v=spf1 mx include:_spf.google.com -all
• v=spf1 mx include:spf.protection.outlook.com –all
• v=spf1 include:spf.protection.outlook.com ip4:161.11.10.20 –all
Example SPF Record
-
13
• Access to org’s public DNS• Determine if MX records are being used• IP address or domains of systems sending on organization’s behalf• If 3rd party vendors support SPF
• what needs to be added to your SPF• Confirm SPF alignment (make sure sending domain is using org’s
domain)
Items Needed for SPF
-
14
SPF AlignmentGood:From: [email protected]: Received-SPF: pass (google.com: domain of [email protected] designates 2607:f8b0:4864:20::d34 as permitted sender) client-ip=2607:f8b0:4864:20::d34;
Fail:From: [email protected]: < [email protected] > Received-SPF: pass (google.com: domain of [email protected] designates 205.201.133.58 as permitted sender) client-ip=205.201.133.58;
To achieve a passing SPF alignment, the From: header domain must match the domain used to authenticate SPF (e.g., envelope “mail from:” “return-path” domain).
-
15
SPF Aligntment
-
16
SHORTFALLS
• Recipient server must decide how to handle failed messages• Once implemented, there is no mechanism to determine if the
message was rejected or bounced• If used alone, any other domain using the same hosting provider can
still forge mail of other domains• 10 domain lookup limit• does not validate the “header from”, but uses the “envelope from”
to determine the sending domain
-
17
10 Domain Lookup Work Around
• SPF Flattening• Use IP address instead of domains name• Be extremely careful
• Dynamic SPF• Capability provided by various DMARC Vendors
-
DomainKeys Identified Mail (DKIM)
-
19
DKIMDomainKeysIdentified Mail
Validates a domain’s identity that is associated with a mail message by using authentication in the form of a digital signature
TXT or CNAME Record on Domain Name Server (DNS)• Can have more than one record
-
20
Generate DKIM Keys
• Two Keys• Private Key• Public Key
• Key generation is dependent on:• If you are using an external service for both mail and DNS (i.e. G Suite or 0365)• If the organization has its own email server or gateway
-
21
DKIM with 3rd Party Mail Providers and Marketing Systems
• The mail provider will provide you with the public key. This public key is then published as a TXT or CNAME record in DNS.
• Some cases, the mail provider will supply the full DNS TXT record.• The private key is held by the mail provider and typically not provided
to the organization.
-
22
DKIM with Organizations Mail Server or Gateway• Some Mail gateways will generate the DKIM Keys (i.e. Cisco Ironport and Mimecast).• Linux - an open source project called opendkim (http://www.opendkim.org/) is available.
• contains various tools to assist with creating the DKIM key and for integrating DKIM signing into various mail systems
• MS Exchange – dkim-exchange (github)• Another option is to use OpenSSL to generate the DKIM keys.
• Private Key: openssl genrsa -out dkim-private.pem 1024 -outform PEM• Public Key: openssl rsa -in dkim-private.pem -out dkim-public.pem -pubout -outform PEM
• Move the DKIM Private Key in the location specified by the DKIM installation.• Make sure it is in a folder with restricted access.
-
23
name: ._domainkey.
value = "k=rsa;p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l;"
DKIM DNS TXT Record
-
24
• • name of the DKIM key in DNS. Any name can be used before the “.”, however
it must have“_domainkey” after.
• _domainkey - required
• - may not be needed
DKIM Record Name
-
25
DKIM Tags
• k=rsa – defines key algorithm used • p= – defines the
public key string• 1024 – most common size• 2048*
-
26
• Access to public DNS• Define selector• DKIM key generator and signing tool
• built-in to mail server or email security gateway• provided by 3rd party email provider
• If 3rd party vendors support DKIM• what needs to be added to DNS (TXT or CNAME record)
• Confirm DKIM alignment (make sure signing server is using org’s domain)
Items needed for DKIM
-
2727
Message Header:DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalcyberalliance.org; s=gca; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc;
DKIM Alignment
-
28
Shortfalls
• Does NOT define what to do if signature is bad or good• No reporting mechanism• Does NOT determine if the sender server is allowed to send outgoing
mail for a specific domain • Allows for recipient filters to determine the authenticity of the mail
message being sent• recipient server must decide how to handle failed messages.
-
29
DMARC
Domain-based Message Authentication, Reporting & Conformance
Policy that will define SPF and DKIM (the A or Authentication in DMARC) and must work together using the policy level defined by your organization (which is the C or Conformance in DMARC), as well as add a reporting feature (the R or Reporting in DMARC).
Uses Domain Name Server to define the policy
-
30
• Resolves most issues with SPF and DKIM• Domains using the same hosting provider or coming from org mail
servers – Implement SPF and DKIM• DMARC will utilize SPF and DKIM checking
• DMARC Reports• DMARC indicates what to do with message if either were to fail or
pass
DMARC with SPF and DKIM
-
Next Webinars:
DMARC Technical Details and Windows DNSSept 24th or Oct 1st
DMARC Technical Details and BINDSept 25th or Oct 2nd
DMARC Technical Details and Cloud DNSSept 26th or Oct 3rd
-
32
Bootcamp Resources
• Community Forum – community.globalcyberalliance.org• Bootcamp resource page - dmarc.globalcyberalliance.org/dmarc-
bootcamp/
https://community.globalcyberalliance.org/https://dmarc.globalcyberalliance.org/dmarc-bootcamp/
-
33
Q&A
-
Thank You!
Shehzad [email protected]