SPF
Sender policy framework
Identify who (what servers) can send emails for your domain
Like protecting the envelope
DKIM
DomainKey Identified Mail standard
Emails are signed with a signature
Let's the other end know the email really came from you and not a spammer/attacker
Like protecting the "letter" or email
DMARC
Domain based Message Authentication Reporting and Conformance
Makes use of SPF and DKIM
DMARC check 3 things
- From address, check the from @domain.com (is it real, is it valid)
- Return path: is it valid (server the mail came from)
- DKIM: is it a valid signed email
You will need DNS TXT records to set it up, where to send reports and what policy
Version
v=DMAR1
Policy (good idea to set to none at the start for monitoring)
p=reject
Email where aggregate DMARC reports will be sent, must be set
rua=mailto:dmarc@domain.com
Forensic data (can have sensitive data inside, should be secure email)
ruf=mailto:dmarc@domain.com
Failure reporting option for forensic DMARC reports
fo=1
Can't use subdomain (r relaxed, s strict)
adkim=r
Alignment mode for SPF, again about subdomains
aspf=r
- Monitor / test first
- Setup proper SPF and DKIM records
- Then set p=reject
- Test again
BIMI
Brand Indicators for Message Identification
A way for company logos to show up for confirmed brands
Most people consider it useless
Maybe users will spot and issue with an email if it has no logo
Not everyone adopts/uses it (MS did not support at time of writing)
If other's are using it you can set it up so your company logo shows up
There are vendors to send the reports and view the reports in a console with graphs etc.
https://dmarcian.com/
https://easydmarc.com/
No comments:
Post a Comment