12 July 2017

Brief of email anti-spoofing technologies: SPF, DKIM, DMARC, SIDF, DK, ADSP

For a few years unhurriedly I have been discovering features to protect emails from spoofing. Here I briefly collect information about all current standards, their functionality and an example with one main domain and two subdomains. It is not a complete guide, please read the RFCs and special guides for each standard.

Standards

Acronym
Definition
Official website
RFC
IETF Status
Short description
SPF
Sender Policy Framework
Standards Track RFC
Defines who (which servers) could send emails from domain and what to do with “bad” emails.
Works with «RFC5321.MailFrom» and «HELO» identities.
DKIM
Domain Keys Identified Message
Standards Track RFC
Sign an email by private key to identify the sender.
DMARC
Domain-based Message Authentication, Reporting, and Conformance
Informational RFC, Working Group
The policy that unites the SPF and DKIM to define what should do receivers with «bad» emails.
SIDF
Sender ID Framework
-
Experimental (2006)
Analog SPF, but works with «RFC5321.MailFrom» and «RFC5322.From».
ADSP
Author Domain Signing Practices
-
Historic (2014)
Extension to DKIM allowing domain owner to specify whether or not they signed all outgoing mail.
DK
DomainKeys
Historic
Analog of DKIM. This standard was superseded by DKIM (RFC4871).



Conclusion: Currently (July of 2017) you should use only SPF, DKIM and DMARC. SIDF, ADSP and DK are obsolete.

Example

Domains
example.com
one.example.com
two.example.com
www.example.com
Website: example.com and www.example.com.
Send and receive emails: example.com, one.example.com and two.example.com.
Mail servers
ms1.example.com
ms2.example.com
Turn on checking SPF, DKIM and DMARC.
Turn on sending DMARC aggregation reports.
Configure signing all outgoing emails by DKIM (domain=example.com; selector=mail; canonicalization= relaxed/relaxed; key=2048 bit)
DNS MX records
example.com. IN MX ms1.example.com 10
example.com. IN MX ms2.example.com 20
one.example.com. IN MX ms1.example.com 10
one.example.com. IN MX ms2.example.com 20
two.example.com. IN MX ms1.example.com 10
two.example.com. IN MX ms2.example.com 20
MX records for all domains.
DNS SPF records
example.com. IN TXT “v=spf1 +mx -all”
«+mx» means that emails from my domains could send only my servers that are presented in the MX-records.
«-all» means that the recipient’s email system should reject all “bad” emails from this domain.
one.example.com. IN TXT “v=spf1 redirect=example.com
two.example.com. IN TXT “v=spf1 redirect=example.com
Redirect to the main domain to simplify management.
ms1.example.com. IN TXT “v=spf1 a -all”
ms2.example.com. IN TXT “v=spf1 a -all”
This record needs to pass the HELO/EHLO test.
*.example.com. IN TXT “v=spf1 -all” www.example.com. IN TXT “v=spf1 -all” Wildcard SPF will protect all non-existent subdomains. Therefore we should protect also www.example.com domain.
DNS DKIM records
mail._domainkey.example.com. IN TXT “k=rsa; p=MIIBI...”
«mail» - is selector. The name may be any, but should match with selector field in the configuration of DKIM on email server.
«p=….» - is public key to check the signature of an email. The public/private key pair you should generate by self or get from an online service.
The policy distributed for all subdomains.
_domainkey.example.com. TXT "o=-;"
"o=-" means all e-mails from this domain are signed.
DNS DMARC records
_dmarc.example.com. IN TXT “v=DMARC1; p=reject; sp=reject; fo=1; rua=mailto:dmarc-rua@example.com
«p=reject; sp=reject;» means that receivers should reject all «bad» emails.
To start using DMARC it is enough to use «p=none; sp=none;».
«fo=1» means that DMARC-reports will generate if any of SPF or DKIM checks failed.
«rua=mailto:dmarc-rua@example.com» say MTA to send aggregated reports for my domain to dmarc-rua@example.com.
one.example.com._report._dmarc.example.com. IN TXT "v=DMARC1"
two.example.com._report._dmarc.example.com. IN TXT "v=DMARC1"
It needs to get DMARC-reports for a single email address in «rua» field.

Tips

  • Be aware that maximum DNS-hops to get full TXT (SPF) records – 10. To check your SPF record you may use SPF Survey by Dmarcian.
  • For SPF you should use only «TXT» record in the DNS, «SPF» DNS record is obsolete.
  • Don’t forget:
    1. SPF, DKIM and DMARC checking for incoming emails should be enabled in front-end email servers. This will reduce the amount of spam.
    2. On the email server side (desirable on front-end) DKIM for all outgoing emails should be enabled.
    3. Create special mailbox for getting DMARC reports.
    4. Analyze DMARC reports yourself or use online services. This will give you more information about who is trying to use your domain, how to increase your anti-spoofing defense and etc.
  • Wildcard records will protect all non-existent subdomains. Therefore we should protect all existent domains (like www, suppport, etc.). More details on Wikipedia и RFC 1034.
  • I recommend to read the best presentation of SPF/DKIM/DMARC presentation that I have ever seen «Email-Authentication-Basics-2015Q2» and "How to Combat Fake Emails" article from Australian Cyber Security team.

No comments:

Post a Comment