Understanding
Security
🔒
🔨🕧
0. Email Mechanics
1. The Problems with Emails
2. SPF, DKIM, DMARC
3. Demos!
4. Protecting and Verifying Domains
How Email Really Works
The Flow.
![](https://media.slid.es/uploads/705458/images/9449296/pasted-from-clipboard.png)
![](https://media.slid.es/uploads/705458/images/9449299/pasted-from-clipboard.png)
Mail Transfer Agent
Mail User Agent
![](https://img.icons8.com/stickers/344/dns.png)
![](https://media.slid.es/uploads/705458/images/9449315/pasted-from-clipboard.png)
![](https://media.slid.es/uploads/705458/images/9449315/pasted-from-clipboard.png)
SMTP
Sender's Email Service Provider
Receiver's Email Service Provider
POP3 // IMAP
The Email Envelope.
![](https://img.icons8.com/external-xnimrodx-lineal-color-xnimrodx/344/external-email-contact-us-xnimrodx-lineal-color-xnimrodx-4.png)
![](https://media.slid.es/uploads/705458/images/9449477/carbon_2_.png)
The problems with
Where is the authentication??
![](https://media.slid.es/uploads/705458/images/9449296/pasted-from-clipboard.png)
![](https://media.slid.es/uploads/705458/images/9449299/pasted-from-clipboard.png)
Mail Transfer Agent
Mail User Agent
![](https://img.icons8.com/stickers/344/dns.png)
![](https://media.slid.es/uploads/705458/images/9449315/pasted-from-clipboard.png)
![](https://media.slid.es/uploads/705458/images/9449315/pasted-from-clipboard.png)
SMTP
Sender's Email Service Provider
Receiver's Email Service Provider
POP3 // IMAP
STLS // StartTLS
![](https://media.slid.es/uploads/705458/images/9455360/pasted-from-clipboard.png)
SUS!!
Breaking It Down....
✅ Forge the MAIL FROM
in the SMTP envelope
✅ Forge the FROM
in the email header
✅ The email header FROM
can be different from the envelope's MAIL FROM
THE TRIFORCE
![](https://vignette.wikia.nocookie.net/wikiconsolanintendo/images/e/e6/Triforce.png/revision/latest?cb=20100711181552&path-prefix=es)
SPF
Sender Policy Framework
![](https://vignette.wikia.nocookie.net/wikiconsolanintendo/images/e/e6/Triforce.png/revision/latest?cb=20100711181552&path-prefix=es)
![](https://media.slid.es/uploads/705458/images/9449315/pasted-from-clipboard.png)
![](https://media.slid.es/uploads/705458/images/9455390/pasted-from-clipboard.png)
Email Server
Is the IP address an authorized sender from the envelope?
❓❓
SPF
✅
🤔
Pass?
Fail?
Configuring SPF
Starts with version number (v=spf1
) with mechanisms to define the IP and
how it should be evaluated with qualifiers and modifies.
// examples
v=spf1 a mx include:_spf.example.com -all
v=spf1 ip4:127.0.0.1 -all
v=spf1 mx -all
v=spf1 include:sendgrid.net ~all
v=spf1 -all
Configuring SPF
Mechanisms evaluate in sequence from left-to-right and returns the following:
1. match? that's the result of the SPF record
2. no match? move on to next mechanism
3. exception? eval ends and exception value returned
// mechanisms
IP4: // match on given IPv4 address
IP6: // match on given IPv6 address
A: // match on given A/AAAA record that resolves to the sender's address
MX: // match from the domain's incoming mail host
EXISTS: // match given domain name that resolves to any address
INCLUDE: // ref any policy of the domain but will continue to process if failed
ALL: // always match
Configuring SPF
Qualifiers are an optional prepended text to denote the result of evaluating the mechanism
// qualifiers
+: // eval is PASS
?: // eval is NEUTRAL (result is interpreted like there was no policy)
~: // eval is SOFTFAIL (typically accepted but are tagged)
-: // eval is FAIL
Configuring SPF
Modifiers are optional and may be used only one per record
// modifiers
exp=foo.bar.com // gives name of the domain with the DNS TXT record
redirect=foo.bar.com // can be used instead of ALL mechanism
Challenges
🎯 Email vendors frequently changes
🙅♀️ SPF failure doesn't mean the message will be blocked
💔 SPF record breaks if forwarded
🚫 No protection in the email header's FROM
DKIM
DomainKeys Identified Mail
![](https://vignette.wikia.nocookie.net/wikiconsolanintendo/images/e/e6/Triforce.png/revision/latest?cb=20100711181552&path-prefix=es)
DKIM
![](https://media.slid.es/uploads/705458/images/9455488/pasted-from-clipboard.png)
![](https://media.slid.es/uploads/705458/images/9455491/pasted-from-clipboard.png)
Signs the email message to prove that:
- message body hasn't been tampered
- headers haven't changed
- sender actually owns the domain
DKIM
k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGMjj8MVaESl30KSPYdLaEreSYzvOVh15u9YKAmTLgk1ecr4BCRq3Vkg3Xa2QrEQWbIvQj9FNqBYOr3XIczzU8gkK5Kh42P4C3DgNiBvlNNk2BlA5ITN/EvVAn/ImjoGq5IrcO+hAj2iSAozYTEpJAKe0NTrj49CIkj5JI6ibyJwIDAQAB
Add the public key to the DNS record
DMARC
Domain-based Message Authentication, Reporting and Conformance
![](https://vignette.wikia.nocookie.net/wikiconsolanintendo/images/e/e6/Triforce.png/revision/latest?cb=20100711181552&path-prefix=es)
DMARC
✅ Verifies the sender's email messages are protected by both SPF and DKIM
✅ Tells the receiving mail server what to do it neither of the authentication methods pass
✅ Provides a way for the receiving server to report pass/fail of DMARC evaluations
Tags
Required:
v
- version tag
p
- policy tag (none
, quarantine
, reject
)
Optional:
pct
- percentage of suspicious messages DMARC applies to
rua=mailto:foo@bar.com
- where to send reports
fo
- how to generate the eval reports
0
: failure if SPF and DKIM fail to produce a PASS (default)
1
: failure if SPF or DKIM produce anything other than PASS
d
: failure if DKIM signature failed
p
: failure if SPF eval failed
The Record 🎉
v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com
Demos!
Verifying
Domains
Terminal
nslookup -type=txt DOMAIN.EX
dig txt DOMAIN.EX
nslookup -type=txt _dmarc.DOMAIN.EX
dig txt _dmarc.DOMAIN.EX
** replace DOMAIN.EX and SELECTOR
SPF Lookup
DMARC Lookup
nslookup -type=txt _dmarc.DOMAIN.EX
dig txt _dmarc.DOMAIN.EX
DMARC Lookup
dig txt SELECTOR._domainkey.DOMAIN.EX
DKIM Lookup
Sites
- MXToolbox - the complete suite of email checks
- DNSChecker - DNS health report
- DMarcly - SPF/DKIM/DMARC checker and generator
- DNSChecker Email Header - analyze the headers of an email
Resources
Understanding Email Security
By oliikit
Understanding Email Security
- 208