Shehzad MirzaDirector of Operations

smirza@globalcyberalliance.orggca-dmarc@globalcyberalliance.org

Bootcamp

2

• Weeks 1-2: Getting Started• Bootcamp Introduction and DMARC Overview• Overview of DMARC, SPF and DKIM

• Weeks 3-4: Time to Implement!• Demonstrations on how to implement DMARC on Windows DNS, BIND and a

Cloud-based DNS Provider.• Participants should implement DMARC during these weeks

• Weeks 5-6: On Going Management: Analyze, Review and Adjust• What to look for in DMARC reports and what needs to be adjusted before

moving to an enforcement policy2

Bootcamp Plan and upcoming Webinars

3

Bootcamp Resources

• Community Forum – community.globalcyberalliance.org• Bootcamp resource page - dmarc.globalcyberalliance.org/dmarc-

bootcamp/

https://community.globalcyberalliance.org/https://dmarc.globalcyberalliance.org/dmarc-bootcamp/

4

Introduction to SPF and DKIM

Sender Policy Framework(SPF)

6

SPF Sender Policy Framework

• Defines which mail servers are authorized to send mail for the organization’s domain

• uses the “envelope from” to determine the sending domain

• TXT record on Domain Name Server (DNS)• Can only have one SPF record

7

SPF

8

• Basic:Name: or @ or leave blankValue: "v=spf1 mx -all"

• Complex:Name:

Value: "v=spf1 mx a: include: ip4: ~all"

SPF DNS TXT Record

9

SPF Tags

v=spf1 The TXT record will always begin with this. This defines the version of SPF being used. Currently SPF version 1 is the only available version

mx If this is included, then the incoming mail servers (MXes) of the domain are authorized to also send mail for that domain

a: This part should only be included if there are other systems, other than the mail servers, authorized to send mail for the domain.

include:

Everything considered legitimate by a trusted external domain is legitimate for the organization’s domain.

ipv4:ipv6: This should be used if only IP addresses are available

10

SPF Tag (con’t)

ptr• Use the source-ip's PTR and a reverse map

queryexists

• The existence (any valid A record) of the specified domain allows the test to pass

redirect• Redirects verification to use the SPF

records of the defined domainexp

• defines a DNS name whose TXT record's text may be returned with any failure message

• must be at end of policyMacro-expressions - complex and confusing

11

• -all – Hard Fail• only the domain’s mail servers (and those in the

‘a’ and ‘include’ sections) are allowed to send mail for the domain. All other are prohibited.

• ~all – Soft Fail• if email is from a server not on the policy, the

message is still accepted but marked as non compliant.

• ?all• explicitly that nothing can be said about validity.

• +all• means that any host can send mail for the

domain. This should never be used.

SPF ‘all’ tag

1212

• v=spf1 mx include:_spf.google.com -all

• v=spf1 mx include:spf.protection.outlook.com –all

• v=spf1 include:spf.protection.outlook.com ip4:161.11.10.20 –all

Example SPF Record

13

• Access to org’s public DNS• Determine if MX records are being used• IP address or domains of systems sending on organization’s behalf• If 3rd party vendors support SPF

• what needs to be added to your SPF• Confirm SPF alignment (make sure sending domain is using org’s

domain)

Items Needed for SPF

14

SPF AlignmentGood:From: info@globalcyberalliance.orgReturn-Path: Received-SPF: pass (google.com: domain of info@globalcyberalliance.org designates 2607:f8b0:4864:20::d34 as permitted sender) client-ip=2607:f8b0:4864:20::d34;

Fail:From: info@globalcyberalliance.orgReturn-Path: < bounce-mc.us15_71628198.660451-8bd9e9bfe7@mail58.atl11.rsgsv.net > Received-SPF: pass (google.com: domain of bounce-mc.us15_71628198.660451-8bd9e9bfe7@mail58.atl11.rsgsv.net designates 205.201.133.58 as permitted sender) client-ip=205.201.133.58;

To achieve a passing SPF alignment, the From: header domain must match the domain used to authenticate SPF (e.g., envelope “mail from:” “return-path” domain).

15

SPF Aligntment

16

SHORTFALLS

• Recipient server must decide how to handle failed messages• Once implemented, there is no mechanism to determine if the

message was rejected or bounced• If used alone, any other domain using the same hosting provider can

still forge mail of other domains• 10 domain lookup limit• does not validate the “header from”, but uses the “envelope from”

to determine the sending domain

17

10 Domain Lookup Work Around

• SPF Flattening• Use IP address instead of domains name• Be extremely careful

• Dynamic SPF• Capability provided by various DMARC Vendors

DomainKeys Identified Mail (DKIM)

19

DKIMDomainKeysIdentified Mail

Validates a domain’s identity that is associated with a mail message by using authentication in the form of a digital signature

TXT or CNAME Record on Domain Name Server (DNS)• Can have more than one record

20

Generate DKIM Keys

• Two Keys• Private Key• Public Key

• Key generation is dependent on:• If you are using an external service for both mail and DNS (i.e. G Suite or 0365)• If the organization has its own email server or gateway

21

DKIM with 3rd Party Mail Providers and Marketing Systems

• The mail provider will provide you with the public key. This public key is then published as a TXT or CNAME record in DNS.

• Some cases, the mail provider will supply the full DNS TXT record.• The private key is held by the mail provider and typically not provided

to the organization.

22

DKIM with Organizations Mail Server or Gateway• Some Mail gateways will generate the DKIM Keys (i.e. Cisco Ironport and Mimecast).• Linux - an open source project called opendkim (http://www.opendkim.org/) is available.

• contains various tools to assist with creating the DKIM key and for integrating DKIM signing into various mail systems

• MS Exchange – dkim-exchange (github)• Another option is to use OpenSSL to generate the DKIM keys.

• Private Key: openssl genrsa -out dkim-private.pem 1024 -outform PEM• Public Key: openssl rsa -in dkim-private.pem -out dkim-public.pem -pubout -outform PEM

• Move the DKIM Private Key in the location specified by the DKIM installation.• Make sure it is in a folder with restricted access.

23

name: ._domainkey.

value = "k=rsa;p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l;"

DKIM DNS TXT Record

24

• • name of the DKIM key in DNS. Any name can be used before the “.”, however

it must have“_domainkey” after.

• _domainkey - required

• - may not be needed

DKIM Record Name

25

DKIM Tags

• k=rsa – defines key algorithm used • p= – defines the

public key string• 1024 – most common size• 2048*

26

• Access to public DNS• Define selector• DKIM key generator and signing tool

• built-in to mail server or email security gateway• provided by 3rd party email provider

• If 3rd party vendors support DKIM• what needs to be added to DNS (TXT or CNAME record)

• Confirm DKIM alignment (make sure signing server is using org’s domain)

Items needed for DKIM

2727

Message Header:DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalcyberalliance.org; s=gca; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc;

DKIM Alignment

28

Shortfalls

• Does NOT define what to do if signature is bad or good• No reporting mechanism• Does NOT determine if the sender server is allowed to send outgoing

mail for a specific domain • Allows for recipient filters to determine the authenticity of the mail

message being sent• recipient server must decide how to handle failed messages.

29

DMARC

Domain-based Message Authentication, Reporting & Conformance

Policy that will define SPF and DKIM (the A or Authentication in DMARC) and must work together using the policy level defined by your organization (which is the C or Conformance in DMARC), as well as add a reporting feature (the R or Reporting in DMARC).

Uses Domain Name Server to define the policy

30

• Resolves most issues with SPF and DKIM• Domains using the same hosting provider or coming from org mail

servers – Implement SPF and DKIM• DMARC will utilize SPF and DKIM checking

• DMARC Reports• DMARC indicates what to do with message if either were to fail or

pass

DMARC with SPF and DKIM

Next Webinars:

DMARC Technical Details and Windows DNSSept 24th or Oct 1st

DMARC Technical Details and BINDSept 25th or Oct 2nd

DMARC Technical Details and Cloud DNSSept 26th or Oct 3rd

32

Bootcamp Resources

• Community Forum – community.globalcyberalliance.org• Bootcamp resource page - dmarc.globalcyberalliance.org/dmarc-

bootcamp/

https://community.globalcyberalliance.org/https://dmarc.globalcyberalliance.org/dmarc-bootcamp/

33

Q&A

Thank You!

Shehzad Mirzasmirza@globalcyberalliance.org

gca-dmarc@globalcyberalliance.org