Tuesday, 21 May 2024

email security DMARC, SPF and DKIM

SPF 

Sender policy framework

Identify who (what servers) can send emails for your domain

Like protecting the envelope 


DKIM

DomainKey Identified Mail standard 

Emails are signed with a signature 

Let's the other end know the email really came from you and not a spammer/attacker 

Like protecting the "letter" or email 

Summary

  • MX (Mail exchange record) - Just like a DNS record that tells people where to send email for your domain. Like a sign telling people which letterbox to drop the mail into.
  • SPF (Sender policy framework) - Who can send emails for your domain. Like a guard standing at the post box.
  • DKIM (DomainKey Identified Mail standard)  - emails are signed with a signature - like a seal or stamp on the letter confirming to the other end it really came from you.
  • DMARC (Domain based Message Authentication Reporting and Conformance) - Combines SPF and DKIM. Checks from address and confirms domain is valid, check return path, checks its a valid signed email.


DMARC 

Domain based Message Authentication Reporting and Conformance 

Makes use of SPF and DKIM

DMARC check 3 things

  • From address, check the from @domain.com (is it real, is it valid)
  • Return path: is it valid (server the mail came from)
  • DKIM: is it a valid signed email
You will need DNS TXT records to set it up, where to send reports and what policy

Version
v=DMAR1 

Policy (good idea to set to none at the start for monitoring)
p=reject 

Email where aggregate DMARC reports will be sent, must be set
rua=mailto:dmarc@domain.com

Forensic data (can have sensitive data inside, should be secure email)
ruf=mailto:dmarc@domain.com

Failure reporting option for forensic DMARC reports 
fo=1

Can't use subdomain (r relaxed, s strict)
adkim=r

Alignment mode for SPF, again about subdomains
aspf=r


  • Monitor / test first
  • Setup proper SPF and DKIM records
  • Then set p=reject
  • Test again

BIMI
Brand Indicators for Message Identification
A way for company logos to show up for confirmed brands
Most people consider it useless
Maybe users will spot and issue with an email if it has no logo
Not everyone adopts/uses it (MS did not support at time of writing) 
If other's are using it you can set it up so your company logo shows up


There are vendors to send the reports and view the reports in a console with graphs etc.
https://dmarcian.com/
https://easydmarc.com/

Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)