Intro to Email Security with SPF DKIM and DMARC

Security Operations + Email Security Justin today4 February 2024 4

Background
share close

Phishing and e-mail in general continue to be the most targeted attack vector according to Cloudflare’s 2023 Phishing Report. With e-mail service being the live blood of communication for most organizations, the security of such a service is paramount.

Hardening e-mail infrastructure and services is one piece to the puzzle, and most services provide integrated malware and spam prevention capabilities that add a layer of security to e-mail. However, another mechanism exists to provide additional security to e-mail services in the form of a number of DNS implementations, specifically, SPF, DKIM and DMARC.

SPF, DKIM, and DMARC are DNS implementations that provide security and reporting functionality to your e-mail delivery and receiving services. Let’s discuss each implementation further.

SPF

Sender Policy Framework (SPF), is a mechanism of identifying what servers are authorised and/or not authorised to send e-mail on behalf of a domain name. SPF also provides a mechanism to determine how strict to enforce the policy, allowing for some flexibility in implementation.

SPF Records

SPF exists in the form of a DNS TXT record. Here is an example:

v=SPF1 ip4:123.123.123.123 ip4:123.123.123.123 include:ses.amazon.com ~all

SPF Tags

Tag Default Description
v SPF1 indicates the version of SPF that the TXT record is using. This is for future expansion, but for now, v=spf1 is the only correct version. Every SPF TXT record must start with this string.
ip4 IPv4 address authorised to send e-mail on the behalf of a domain.
ip6 IPv6 address authorised to send e-mail on the behalf of a domain.
include CNAME or Domain Name of server authorised to send e-mail on the behalf of a domain.
a A record of server authorised to send e-mail on the behalf of a domain.
mx MX record of server authorised to send e-mail on the behalf of a domain.
ptr PTR record of a server authorised to send e-mail on the behalf of a domain.
exists Perform a check to see if a domain name has an assigned A record.
extensions The extensions mechanism provides a method of using custom mechanisms.
all all This mechanism always matches and must be used at the end of the SPF record. More details below.

The all Tag

The all tag always tests as positive and is used with a qualifier to determine how SPF evaluates the message. For example, the use of the - or fail qualifier, -all, would return a failed SPF check unless the sending server exists exactly in the SPF record, and quarantine the message. Using the ~ or softfail qualifier, ~all, would still return a failed SPF check, however, the message will not be quarantined.

SPF Qualifiers

The following qualifiers exist in the SPF standard:

+ – pass
- – fail
~ – softfail
? – neutral

DKIM

DomainKeys Identified Mail (DKIM) Signatures is a domain-level authentication framework that uses public-key cryptography in order to verify the contents and source of a message. DKIM uses cryptographic signatures to protect integrity of messages, as well as a irrefutable evidence of the source of the message. As DKIM uses DNS records, there is no need for a Certificate Authority (CA) to check the certificate against. A receiving server can simply query the sender domain to validate the necessary keys.

DKIM Records

The DKIM Selector is a DNS TXT record that indicators where a recipient server can locate the domains public key. The public key will is used to create a hash of the received e-mail, and compared to the hash written by the senders server. If the hashes match, we know that the e-mail contents were not changed in transit, and because the public key worked to create the proper has, we also know that the e-mail could have only come from that server.

Here is the DKIM record for roguesecurity.ca at selector1

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxAUDUvo/w6sBFGGC/hd8aNO0VNbZhGyvbOuHkG/dmlC+coDRH05zvWQgAbO1QSSatxb37d6AZ1sot+UeRbCpIVFBNvabPf/3QtYTj5gM3yl2k6FPK56uXTFNGZooA+WFYSKltYkaKnV1dNH7B0nlbV9Zh1NMcXLXsYb2idmi3RPkT12hxgeoaqdE1G6WfDstOd9B02kxxWr1gzuPGVmzLRCu8v170xEtvwoTghHcJSxmZT2zvauzTGuhkC9h65aPmebVPUiPipXw3ISmLd4YibzpbC/wGoVVS/McDZBSkUxFGcnM97eZF6ZLiS371TmCz4PqRc8iAmKJGLBRunpdnQIDAQAB;

DKIM Tags

Tag Default Description
v DKIM1 Indicates the version of DKIM to use. Always DKIM1.
h * Acceptable hash algorithms.
k rsa Indicates the key type. In this instance, we’re using RSA. Values include: rsa or ed25519
n Optional notes of interest to a human.
p Finally, we have the public key used to produce a hash of the message.
s * A list of service types which the record applies to. Values include: email
t A list of flags. Values include: y – DKIM testing mode, or s DKIM strict mode

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism for providing domain-level policies and preferences for message validation, disposition and reporting. DKIM provides domain owners with a way of assigning a preferred method of handling authentication failures to reduce the amount of successfully delivered spoofed e-mail.

DKIM can also be configured to provide domain-level reporting on authentication and the disposition of received e-mail.

DMARC Records

DMARC records, like SPF and DMARC records, are DNS TXT entries that are defined using various mechanisms. Here is the DMARC record for roguesecurity.ca at _dmarc.

v=DMARC1;p=none;ruf=mailto:dnsreports@roguesecurity.ca;rua=mailto:dnsreports@roguesecurity.ca;sp=none

DMARC Tags

Tag Default Description
v DMARC1 The version of DMARC being used. Always DMARC1.
p none What policy is applied to e-mails that fail DMARC? Values include: none, quarantine, or reject.
ruf none List of URIs to send forensics reports to.
rua none List of URIs to send XML feedback to.
sp p= How should DMARC treat messages from sub-domains? Values include: none, quarantine, reject.
adkim r Specifies alignment mode for DKIM signatures. Values include: r, or s. r indicates Relaxed Mode and s indicates Strict Mode. This determines how exact an e-mails "Header-From" domain must match a DKIM authenticated domain.
aspf r Specifies alignment mode for SPF. Values include: r, or s. r indicates Relaxed Mode and s indicates Strict Mode. This determines how exact an e-mails "Header-From" domain must match a SPF authenticated domain.
fo 0 Provides various forensics reporting options. Values include: 0, 1, d, or s. These options determine what triggers forensics reports.
rf afrf The reporting format for forensics reports. Values include: afrf or iodef.
pct 100 This option tells receivers to only apply the policy against failed DMARC checks, x percentage of time. For example, pct=50 would tell the receiver server to apply the policy against 50% of messages that fail the DMARC check.
ri 86400 The reporting interval for how often to receive XML reports in an aggregated form.

Written by: Justin

Tagged as: , , , , , , .

Rate it
Previous post
Photo by Josh Sorenson: https://www.pexels.com/photo/ethernet-cables-plugged-on-a-server-rack-1054397/

today31 January 2024

  • 16
close

General Justin

Windows Server Evaluation ISOs

I was building out a new malware lab recently and wanted to include an Active Directory server. Microsoft doesn’t make it super easy to navigate their downloads, so here are ...

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *