For a few years unhurriedly I have been discovering features to protect emails from spoofing. Here I briefly collect information about all current standards, their functionality
and an example with one main domain and two subdomains. It is not a complete
guide, please read the RFCs and special guides for each standard.
Standards
Acronym |
Definition |
Official website |
RFC |
IETF Status |
Short description |
SPF |
Sender Policy Framework |
Standards Track RFC |
Defines who (which servers) could send emails from domain and what to do with “bad” emails. Works with «RFC5321.MailFrom» and «HELO» identities. |
||
DKIM |
Domain Keys Identified Message |
Standards Track RFC |
Sign an email by private key to identify the sender. |
||
DMARC |
Domain-based Message Authentication, Reporting, and Conformance |
Informational RFC, Working Group |
The policy that unites the SPF and DKIM to define what should do receivers with «bad» emails. |
||
SIDF |
Sender ID Framework |
Experimental (2006) |
Analog SPF, but works with «RFC5321.MailFrom» and «RFC5322.From». |
||
ADSP |
Author Domain Signing Practices |
- |
Historic (2014) |
Extension to DKIM allowing domain owner to specify whether or not they signed all outgoing mail. |
|
DK |
DomainKeys |
Historic |
Analog of DKIM. This standard was superseded by DKIM (RFC4871). |
Conclusion: Currently (July of 2017) you should use only SPF, DKIM and DMARC. SIDF, ADSP and DK are obsolete.
Example
Domains |
example.com one.example.com two.example.com www.example.com |
Website: example.com and www.example.com. Send and receive emails: example.com, one.example.com and two.example.com. |
Mail servers |
ms1.example.com ms2.example.com |
Turn on checking SPF, DKIM and DMARC. Turn on sending DMARC aggregation reports. Configure signing all outgoing emails by DKIM (domain=example.com; selector=mail; canonicalization= relaxed/relaxed; key=2048 bit) |
DNS MX records |
example.com. IN MX ms1.example.com 10 example.com. IN MX ms2.example.com 20 one.example.com. IN MX ms1.example.com 10 one.example.com. IN MX ms2.example.com 20 two.example.com. IN MX ms1.example.com 10 two.example.com. IN MX ms2.example.com 20 |
MX records for all domains. |
DNS SPF records |
example.com. IN TXT “v=spf1 +mx -all” |
«+mx» means that emails from my domains could send only my servers that are presented in the MX-records. «-all» means that the recipient’s email system should reject all “bad” emails from this domain. |
one.example.com. IN TXT “v=spf1 redirect=example.com” two.example.com. IN TXT “v=spf1 redirect=example.com” |
Redirect to the main domain to simplify management. |
|
ms1.example.com. IN TXT “v=spf1 a -all” ms2.example.com. IN TXT “v=spf1 a -all” |
This record needs to pass the HELO/EHLO test. |
|
*.example.com. IN TXT “v=spf1 -all” www.example.com. IN TXT “v=spf1 -all” | Wildcard SPF will protect all non-existent subdomains. Therefore we should protect also www.example.com domain. | |
DNS DKIM records |
mail._domainkey.example.com. IN TXT “k=rsa; p=MIIBI...” |
«mail» - is selector. The name may be any, but should match with selector field in the configuration of DKIM on email server. «p=….» - is public key to check the signature of an email. The public/private key pair you should generate by self or get from an online service. The policy distributed for all subdomains. |
_domainkey.example.com. TXT "o=-;" |
"o=-" means all e-mails from this domain are signed. |
|
DNS DMARC records |
_dmarc.example.com. IN TXT “v=DMARC1; p=reject; sp=reject; fo=1; rua=mailto:dmarc-rua@example.com” |
«p=reject; sp=reject;» means that receivers should reject all «bad» emails. To start using DMARC it is enough to use «p=none; sp=none;». «fo=1» means that DMARC-reports will generate if any of SPF or DKIM checks failed. «rua=mailto:dmarc-rua@example.com» say MTA to send aggregated reports for my domain to dmarc-rua@example.com. |
one.example.com._report._dmarc.example.com. IN TXT "v=DMARC1" two.example.com._report._dmarc.example.com. IN TXT "v=DMARC1" |
It needs to get DMARC-reports for a single email address in «rua» field. |
Tips
- Be aware that maximum DNS-hops to get full TXT (SPF) records – 10. To check your SPF record you may use SPF Survey by Dmarcian.
- For SPF you should use only «TXT» record in the DNS, «SPF» DNS record is obsolete.
- Don’t forget:
- SPF, DKIM and DMARC checking for incoming emails should be enabled in front-end email servers. This will reduce the amount of spam.
- On the email server side (desirable on front-end) DKIM for all outgoing emails should be enabled.
- Create special mailbox for getting DMARC reports.
- Analyze DMARC reports yourself or use online services. This will give you more information about who is trying to use your domain, how to increase your anti-spoofing defense and etc.
- Wildcard records will protect all non-existent subdomains. Therefore we should protect all existent domains (like www, suppport, etc.). More details on Wikipedia и RFC 1034.
- I recommend to read the best presentation of SPF/DKIM/DMARC presentation that I have ever seen «Email-Authentication-Basics-2015Q2» and "How to Combat Fake Emails" article from Australian Cyber Security team.
No comments:
Post a Comment