DMARC Training part 2 - Queensland Government · Source investigation process How to locate a compliant source ... When missing a Return-Path header (for instance for out-of-office

DMARC Training part 2 - Queensland Government

28th of February 2019

Trusted Email. Delivered.

Thank you for joining, the training will start at 4PM

All attendees will be muted by default

Please use the chat box for questions

DMARC Training part 2 - Queensland Government

28th of February 2019

Trusted Email. Delivered.

www.dmarcanalyzer.com3

Agenda● How to achieve DMARC compliance for an email

○ What is alignment?○ How to get DKIM aligned?○ How to get SPF aligned?

● What does good look like?● What does bad look like?● Source investigation process

○ How to locate a compliant source○ How to locate a not compliant source○ How to locate an invalid source○ How to locate a partially compliant source

● How to locate additional information in the forensic section○ Analyze forensic reports○ How does forwarding work?

● Monitoring your data● Actions to take now● Questions?


What is alignment?

● Differentiates DMARC from other techniques

● Make sure to authenticate your mails based on the “From” header. How?○ Setup a matching ‘Return-Path’ header○ Use DKIM signing

● The claimed sender as visible to the end-user is authorized to send that mail

● Often misunderstood


DMARC combines SPF & DKIM

DKIMSPF

Domain Keys Identified MailDKIM is generally more complex to set up than

SPF, requiring a cryptographic signature on each message sent. DKIM will fail when content

is modified in transit, like messages sent through a mailing list.

Sender Policy FrameworkSPF is not ideal for all email use cases and can

fail if message is forwarded. The Mail From domain authenticated by SPF is not easily

visible by an email recipient.

DMARC


How to get DKIM aligned?

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dmarcanalyzer.com; s=esp; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=2HwW3CA4rVUiIEZ+CZKRnQBMbPPiNoY8wzG2xcLU9p0=; b=GBhVjPSyXnw5PeMKHul/qbBAJSa5s8WkDud+08cnl6IHNQzM3ahtLMRZ8O/wjNMDHG oKA9oweIbqPyAEblZWAj878UJ7rlLBlb0xfS3TOhhp3G4wNHQNoBtwA6+cTGbX7yP0QY a/vFWnBYsvhjikdKlO5Gfd76EDPreO6pA0ASw=Authentication-Results: mx.google.com; dkim=pass [email protected] header.s=esp header.b=GBhVjPSy; spf=pass (google.com: domain of [email protected] designates 2607:f8b0:48:20::c47 as permitted sender) [email protected]; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=dmarcanalyzer.comFrom: M. van de Vis <[email protected]>

● Goal: sending source is correctly setup to digitally sign email with encrypted hash● Encrypted signature header appended to the mail (DKIM-Signature )● Keys created by sending party, private key is used to sign● Public key (available through the signing domain’s DNS) is used to validated● Use the ‘d’ parameter to determine which domain hosts the public key


How to get SPF aligned?● Goal: IP of sending source is whitelisted ● Whitelist IP addresses (/hosts) which are allowed to send mail on behalf of the MAIL FROM

domain by including IP addresses in the domain’s SPF record● Typically the “Return-Path” header is used for this● When missing a Return-Path header (for instance for out-of-office replies) the HELO domain is

used● Watch out: only 10 lookups allowed in the SPF record

Return-Path: [email protected]: mx.google.com; spf=pass (google.com: domain of [email protected] designates 2607:f8b0:48:20::c47 as permitted sender) [email protected]; dmarc=fail (p=REJECT sp=REJECT dis=NONE) header.from=dmarcanalyzer.comFrom: M. van de Vis <[email protected]>

www.dmarcanalyzer.com

● The technical explanation can be a little overwhelming● Implementing DMARC is all about locating and protecting your valid sending sources● How can this be translated into understandable situations?● Source investigation process - mapped to real-life scenarios

8

Summarized


What does good look like?● Breadcrumb: Aggregate reports > Per sending source > DMARC compatible sources > Office 365● SPF “aligned” - Return-Path domain matches ‘From’ domain● DKIM “aligned” - DKIM signing domain matches ‘From’ domain● Valid sender for your organization


What does bad look like?● Breadcrumb: Aggregate reports > Per sending source > Failed > Unknown● In general:

○ SPF or DKIM not aligned - not set or failing○ Inactive/Parked domain which does send mail

● You can’t stop the abuse, but you can mitigate the impact by implementing DMARC○ Be aware of abuse taking place (it should be red)○ Control the result by implementing a specific policy (e.g. p=reject)


Source investigation process

● Situation○ Email Service Provider sending valid mail on behalf of domain○ DKIM signature with ‘From’ domain○ SPF setup with ‘From’ domain





● Situation○ Internal server○ No DKIM signing○ Invalid SPF setup





● Situation○ List of unknown IP addresses○ IP addresses missing reverse DNS name○ Typically not that trustworthy○ No DKIM signing○ No valid SPF setup





● Situation○ SPF validated source○ Partially aligned source○ SPF in place○ DKIM signing, but not “aligned”

■ DKIM signing domain : esp-domain.com■ From domain : demo.dmarcanalyzer.com



No - Source is not DKIM capable


Analyze forensic reports

● Only a few senders send these reports○ You won’t see a forensic report for every failing message.

● General reported scenarios:○ Out-of-office replies○ Message forwarding

● Available message detail:○ Feedback headers - Added by ISP and give additional insight into failure details○ Message headers - The headers of the actual message failing DMARC○ Message body - Encryption required (QLD account has this set up)

● Queensland account uses PGP encryption○ Using PGP private key messages can be decrypted○ Full message headers (and optionally message body) available in decrypted body○ Contact QGCIO for the encryption keys


Forensic reports - Out of office

● Commonly seen forensic report due to misconfiguration● Visualized by LinkedIN as they report back these messages through the DMARC forensic reports● Out-of-office (/NDR) mails are sent without a ‘Return-Path’ header which makes SPF fail● Common subjects lines:

○ You appeared in XX searches this week○ Automatic reply: Don't miss a connection: you have invitations expiring soon.○ XX invitation is awaiting your response

● Solve this by setting up DKIM signing for your sending sources○ As SPF fails due to the missing Return-Path headers, these message depend on DKIM for DMARC to pass


What happens with forwarders?

● Examples:○ A student has forwarded his/her university address to a general inbox○ An user has forwarded his old @hotmail inbox to a new @gmail inbox○ An email relaying gateway handles incoming mail and forwards it to

other recipients● SPF does not survive forwarding

○ The forwarding server will normally not be in the SPF record for the sending domain

● DKIM can survive forwarding○ The forwarder should not manipulate:

■ The message body■ The headers used in the DKIM-Signature■ Change message encoding

○ The forwarder can:■ Add additional headers

(providing they are not used in the DKIM-Signature)


Forensic reports - Forwarding

● Commonly seen forensic report. Could indicate misconfiguration on initial sending source or forwarder● Forwarded messages● SPF breaks when the message is forwarded● DKIM can ‘survive’ forwarding● Visible through message headers

○ Main headers to look at:■ From■ Return-Path■ Authentication-Results

○ Forwarding specific headers which could appear■ X-Forwarded-For■ X-Forwarded-IP■ X-Forwarded-Proto

○ Visible after decrypting the message

● Solve this by setting up DKIM signing for your sending sources


Forensic reports - Abuse

● Subjects pointing to abuse● Mail headers can show message body after decryption● Similar reports could also show valid sending sources with invalid setups.

● Enforce DMARC to a p=quarantine / p=reject policy to start protecting your users against these messages


Monitoring your data

● Step 1 - DMARC summary - Set up directly○ Daily report on your compliance○ Useful to monitor your compliance without having to login

● Step 2 - DNS Monitor - Set up directly○ Use this to get notified on DNS failures○ Prevent failures by pre-validating SPF updates○ Issues on DNS could have high impact

● Step 3 - Compliance Monitor - Set up after determining your compliance baseline○ Configure triggers which inform you when:

■ Your compliance drops below a certain threshold■ You suddenly have a high number of failing messages■ You suddenly have a high number of forensic reports

● Demonstration of this process in the DMARC Analyzer Suite


Actions to take now

● These actions are taken from the last Managed Services we have created for Queensland● If your agency needs help implementing DMARC, we can set up an individual Managed Services

project with your agency? Please contact Peter if you’d be interested in this● Some detected possible valid sending sources without proper authentication:

○ Brightspace - no DKIM signing or not set up at all○ Internal *.qld.gov.au senders - no DKIM signing / missing alignment○ Marketo○ Emdbms.com (Vision6)○ Squiz.net

● DNS issues○ Missing DMARC records on quite a few domains○ SPF invalid on several domains

● Security - Set up two-factor authentication for your DMARC Analyzer account


Questions

?

DMARC AnalyzerStationsplein 12-11211 EX HilversumNetherlands

Address

+31(0) 35 531 1115

Phone

[email protected]

Email

Stationsplein 121211 EX HilversumThe Netherlands

DMARC Analyzer

+31 (0) 85 13 00 788

Phone

[email protected]

Email

Documents

DMARC Training part 2 - Queensland Government · Source investigation process How to locate a compliant source ... When missing a Return-Path header (for instance for out-of-office