Understanding

 

Security

Email

🔒

🔨🕧

0. Email Mechanics

1. The Problems with Emails

2. SPF, DKIM, DMARC

3. Demos!

4. Protecting and Verifying Domains

How Email Really Works

The Flow.

Mail Transfer Agent

Mail User Agent

SMTP

Sender's Email Service Provider

Receiver's Email Service Provider

POP3 // IMAP

The Email Envelope.

The problems with

Email

Where is the authentication??

Mail Transfer Agent

Mail User Agent

SMTP

Sender's Email Service Provider

Receiver's Email Service Provider

POP3 // IMAP

STLS // StartTLS

SUS!!

Breaking It Down....

✅ Forge the MAIL FROM in the SMTP envelope

✅ Forge the FROM in the email header

✅ The email header FROM can be different from the envelope's MAIL FROM

THE TRIFORCE

SPF

Sender Policy Framework

Email Server

Is the IP address an authorized sender from the envelope?

❓❓

SPF

🤔

Pass?

Fail?

Configuring SPF

Starts with version number (v=spf1) with mechanisms to define the IP and how it should be evaluated with qualifiers and modifies.

// examples

v=spf1 a mx include:_spf.example.com -all
v=spf1 ip4:127.0.0.1 -all
v=spf1 mx -all
v=spf1 include:sendgrid.net ~all
v=spf1 -all

Configuring SPF

Mechanisms evaluate in sequence from left-to-right and returns the following:
1. match? that's the result of the SPF record
2. no match? move on to next mechanism
3. exception? eval ends and exception value returned

// mechanisms

IP4:     // match on given IPv4 address
IP6:     // match on given IPv6 address
A:       // match on given A/AAAA record that resolves to the sender's address
MX:      // match from the domain's incoming mail host
EXISTS:  // match given domain name that resolves to any address
INCLUDE: // ref any policy of the domain but will continue to process if failed
ALL:     // always match

Configuring SPF

Qualifiers are an optional prepended text to denote the result of evaluating the mechanism

// qualifiers

+:  // eval is PASS
?:  // eval is NEUTRAL (result is interpreted like there was no policy)
~:  // eval is SOFTFAIL (typically accepted but are tagged)
-:  // eval is FAIL

Configuring SPF

Modifiers are optional and may be used only one per record

// modifiers

exp=foo.bar.com       // gives name of the domain with the DNS TXT record
redirect=foo.bar.com  // can be used instead of ALL mechanism

Challenges

🎯   Email vendors frequently changes

🙅‍♀️   SPF failure doesn't mean the message will be blocked

💔  SPF record breaks if forwarded

🚫  No protection in the email header's FROM

DKIM

DomainKeys Identified Mail

DKIM

Signs the email message to prove that:

  • message body hasn't been tampered
  • headers haven't changed
  • sender actually owns the domain

DKIM

k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGMjj8MVaESl30KSPYdLaEreSYzvOVh15u9YKAmTLgk1ecr4BCRq3Vkg3Xa2QrEQWbIvQj9FNqBYOr3XIczzU8gkK5Kh42P4C3DgNiBvlNNk2BlA5ITN/EvVAn/ImjoGq5IrcO+hAj2iSAozYTEpJAKe0NTrj49CIkj5JI6ibyJwIDAQAB

Add the public key to the DNS record

DMARC

Domain-based Message Authentication, Reporting and Conformance

DMARC

✅  Verifies the sender's email messages are protected by both SPF and DKIM

✅  Tells the receiving mail server what to do it neither of the authentication methods pass

✅ Provides a way for the receiving server to report pass/fail of DMARC evaluations

Tags

Required:

v - version tag

p - policy tag (none, quarantine, reject)

 

Optional:

pct - percentage of suspicious messages DMARC applies to

rua=mailto:foo@bar.com - where to send reports

fo - how to generate the eval reports

       0: failure if SPF and DKIM fail to produce a PASS (default)

       1: failure if SPF or DKIM produce anything other than PASS

       d: failure if DKIM signature failed

       p: failure if SPF eval failed

The Record 🎉

v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com

Demos!

Verifying

Domains

Terminal

nslookup -type=txt DOMAIN.EX
dig txt DOMAIN.EX
nslookup -type=txt _dmarc.DOMAIN.EX
dig txt _dmarc.DOMAIN.EX

** replace DOMAIN.EX and SELECTOR

SPF Lookup

DMARC Lookup

nslookup -type=txt _dmarc.DOMAIN.EX
dig txt _dmarc.DOMAIN.EX

DMARC Lookup

dig txt SELECTOR._domainkey.DOMAIN.EX

DKIM Lookup

Sites

Resources

Understanding Email Security

By oliikit

Understanding Email Security

  • 172