Understanding
Security
🔒
🔨🕧
0. Email Mechanics
1. The Problems with Emails
2. SPF, DKIM, DMARC
3. Demos!
4. Protecting and Verifying Domains
How Email Really Works
The Flow.
Mail Transfer Agent
Mail User Agent
SMTP
Sender's Email Service Provider
Receiver's Email Service Provider
POP3 // IMAP
The Email Envelope.
The problems with
Where is the authentication??
Mail Transfer Agent
Mail User Agent
SMTP
Sender's Email Service Provider
Receiver's Email Service Provider
POP3 // IMAP
STLS // StartTLS
SUS!!
Breaking It Down....
✅ Forge the MAIL FROM
in the SMTP envelope
✅ Forge the FROM
in the email header
✅ The email header FROM
can be different from the envelope's MAIL FROM
THE TRIFORCE
SPF
Sender Policy Framework
Email Server
Is the IP address an authorized sender from the envelope?
❓❓
SPF
✅
🤔
Pass?
Fail?
Configuring SPF
Starts with version number (v=spf1
) with mechanisms to define the IP and
how it should be evaluated with qualifiers and modifies.
// examples
v=spf1 a mx include:_spf.example.com -all
v=spf1 ip4:127.0.0.1 -all
v=spf1 mx -all
v=spf1 include:sendgrid.net ~all
v=spf1 -all
Configuring SPF
Mechanisms evaluate in sequence from left-to-right and returns the following:
1. match? that's the result of the SPF record
2. no match? move on to next mechanism
3. exception? eval ends and exception value returned
// mechanisms
IP4: // match on given IPv4 address
IP6: // match on given IPv6 address
A: // match on given A/AAAA record that resolves to the sender's address
MX: // match from the domain's incoming mail host
EXISTS: // match given domain name that resolves to any address
INCLUDE: // ref any policy of the domain but will continue to process if failed
ALL: // always match
Configuring SPF
Qualifiers are an optional prepended text to denote the result of evaluating the mechanism
// qualifiers
+: // eval is PASS
?: // eval is NEUTRAL (result is interpreted like there was no policy)
~: // eval is SOFTFAIL (typically accepted but are tagged)
-: // eval is FAIL
Configuring SPF
Modifiers are optional and may be used only one per record
// modifiers
exp=foo.bar.com // gives name of the domain with the DNS TXT record
redirect=foo.bar.com // can be used instead of ALL mechanism
Challenges
🎯 Email vendors frequently changes
🙅♀️ SPF failure doesn't mean the message will be blocked
💔 SPF record breaks if forwarded
🚫 No protection in the email header's FROM
DKIM
DomainKeys Identified Mail
DKIM
Signs the email message to prove that:
- message body hasn't been tampered
- headers haven't changed
- sender actually owns the domain
DKIM
k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGMjj8MVaESl30KSPYdLaEreSYzvOVh15u9YKAmTLgk1ecr4BCRq3Vkg3Xa2QrEQWbIvQj9FNqBYOr3XIczzU8gkK5Kh42P4C3DgNiBvlNNk2BlA5ITN/EvVAn/ImjoGq5IrcO+hAj2iSAozYTEpJAKe0NTrj49CIkj5JI6ibyJwIDAQAB
Add the public key to the DNS record
DMARC
Domain-based Message Authentication, Reporting and Conformance
DMARC
✅ Verifies the sender's email messages are protected by both SPF and DKIM
✅ Tells the receiving mail server what to do it neither of the authentication methods pass
✅ Provides a way for the receiving server to report pass/fail of DMARC evaluations
Tags
Required:
v
- version tag
p
- policy tag (none
, quarantine
, reject
)
Optional:
pct
- percentage of suspicious messages DMARC applies to
rua=mailto:foo@bar.com
- where to send reports
fo
- how to generate the eval reports
0
: failure if SPF and DKIM fail to produce a PASS (default)
1
: failure if SPF or DKIM produce anything other than PASS
d
: failure if DKIM signature failed
p
: failure if SPF eval failed
The Record 🎉
v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com
Demos!
Verifying
Domains
Terminal
nslookup -type=txt DOMAIN.EX
dig txt DOMAIN.EX
nslookup -type=txt _dmarc.DOMAIN.EX
dig txt _dmarc.DOMAIN.EX
** replace DOMAIN.EX and SELECTOR
SPF Lookup
DMARC Lookup
nslookup -type=txt _dmarc.DOMAIN.EX
dig txt _dmarc.DOMAIN.EX
DMARC Lookup
dig txt SELECTOR._domainkey.DOMAIN.EX
DKIM Lookup
Sites
- MXToolbox - the complete suite of email checks
- DNSChecker - DNS health report
- DMarcly - SPF/DKIM/DMARC checker and generator
- DNSChecker Email Header - analyze the headers of an email
Resources
Understanding Email Security
By oliikit
Understanding Email Security
- 172