© Men & Mice http://menandmice,com
SPF, DKIM and DMARC
Mail-Reputation and DNS
Wednesday 26 October 16
© Men & Mice http://menandmice,com
Sender Policy Framework
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF
•Sender Policy Framework (SPF) defines the addresses mails can be originated for a given domain
•this information is stored in it’s own SPF-Format inside a TXT-Record
• there has been a dedicated SPF record type, that has been deprecated because it was ignored by Mail- and DNS-admins
•Website: http://www.openspf.org
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF-Example
•the Google SPF-Record
google.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all"
Mail-Sender Domain
SPF-FormatVersion
Include SPF-Information from
subdomain
Soft-Fail SPF-Checks
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF-Example
•the Google SPF-Record
_spf.google.com. 299 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
Includes of Google Network Blocks
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF-Example
•the Google SPF-Record
_spf.google.com. 299 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
Includes of Google Network Blocks
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF-Example
•the Google SPF-Record
_netblocks.google.com. 3600 IN TXT "v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
Google Mail-Sending addresses
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF-Operation
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
sending mailon port 25
from 192.0.2.123
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF-Operation
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
sending mailon port 25
from 192.0.2.123
looking up SPF-Recordfor “example.com”
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF-Operation
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
sending mailon port 25
from 192.0.2.123
example.com IN TXT “v=spf1 ipv4:192.0.2.0/24 -all”
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF-Operation
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
sending mailon port 25
from 192.0.2.123
check if sending address is within SPF-
Data
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF-Operation
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
mail has been received
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF issues
•SPF is problematic with some mail functions where mail is send indirectly
•mail-forwarding
•mailing lists
•webforms - http://bsdly.blogspot.nl/2016/10/is-spf-simply-too-hard-for-application.html
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
mailing-listserver
sending mail from [email protected]
on port 25from 192.0.2.123
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
mailing-listserver
sending mail from [email protected]
on port 25from 203.0.113.23
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
mailing-listserver
sending mail from [email protected]
on port 25from 203.0.113.23
looking up SPF-Recordfor “example.com”
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
mailing-listserver
sending mail from [email protected]
on port 25from 203.0.113.23
example.com IN TXT “v=spf1 ipv4:192.0.2.0/24 -all”
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
mailing-listserver
sending mail from [email protected]
on port 25from 203.0.113.23
check if sending address is within SPF-
Data
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
mailing-listserver
sending mail from [email protected]
on port 25from 203.0.113.23
mail rejected, as the sender IP does not
appear in the SPF data
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
mailing-listserver
sending mail from [email protected]
on port 25from 203.0.113.23
mail rejected, as the sender IP does not
appear in the SPF data
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIMDomainKeys Identified Mail
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM
• DKIM cryptographically signs selected mail headers and the mail content
• DKIM is used to validate the mail message content but not to secure the transport path
• No upgrade to User Client (Client E-Mail program) needed
• But E-Mail Clients can offer per-User signing, as an option
• DKIM Management can be “outsourced” (ISP, E-Mail Hosting Provider)
• No PKI Infrastructure needed, only depends on DNS
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM
• DKIM Website
• http://dkim.org/
• Documents
• RFC 5585 - DomainKeys Identified Mail (DKIM) Service Overviewhttps://tools.ietf.org/html/rfc5585
• RFC 6376 - DomainKeys Identified Mail (DKIM) Signatureshttps://tools.ietf.org/html/rfc6376
• RFC 5863 - DomainKeys Identified Mail (DKIM) Development, Deployment, and Operationshttps://tools.ietf.org/html/rfc5863
• RFC 5617 - DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP)https://tools.ietf.org/html/rfc5617
• RFC 6377 - DomainKeys Identified Mail (DKIM) and Mailing Listshttps://tools.ietf.org/html/rfc6377
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
DKIM Version
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
DKIM Signing
Algorithm
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
canonicalization algorithm: "relaxed" algorithm that tolerates common
modifications such as whitespace replacement and header field line rewrapping
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
Domain of the sending party, this is where the public key to verify the signature is located
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
Subdomain selector: will pre prepended to the domain to fetch the DKIM public key
Wednesday 26 October 16
© Men & Mice http://menandmice,com
Fetching the DKIM key
•The DKIM public key can be found inside a TXT record at a domain name build from
• selector
• subdomain “_domainkey”
• base mail domain (d: field)
$ dig selector1-menandmice-com._domainkey.mennogmys.onmicrosoft.com TXT +short"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDenG16IONFpDPACAhDnCd/N98W277rSbwSoatar767pSYtT+CClFqhmEePynSVGdS0RxIjFZscmVN5RZjnfD+HE1HL4XvUtxnnb1j0PeNfhrDHy7BHFGux6exfL7/splByKu7qhLBP10+SyAjiE4Qc6xWfCQ3MzmECZGW/CzzmOQIDAQAB; n=1024,1450909615,1"
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
Header-Fields signed by the sending party
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
Body-Hash: Hash of the message body
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM Signature in the Mail Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]
Signature over header fields and Body-Hash
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM operation
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
mailforwarder
mail get signed with “example.com” private
DKIM key
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DKIM operation
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
mailforwarder
sending mail from [email protected]
on port 25from 192.0.2.123
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
sending mail from [email protected]
on port 25from 203.0.113.23
mailforwarder
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
sending mail from [email protected]
on port 25from 203.0.113.23
looking up DKIM public keyfor “example.com”
mailforwarder
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
sending mail from [email protected]
on port 25from 203.0.113.23
_domainkeys.example.com IN TXT “v=DKIM1; k=rsa; p=MIG[...]”
mailforwarder
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
sending mail from [email protected]
on port 25from 203.0.113.23
validating DKIM signed headers and
body
mailforwarder
Wednesday 26 October 16
© Men & Mice http://menandmice,com
SPF problem with forwarding
example.comauthoritative
DNS
example.comoutgoingmail
receiving mail server
mailing-listserver
mail has been received
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DMARCDomain-based Message Authentication,
Reporting & Conformance
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DMARC
•DMARC builds on top of SPF and DKIM
• it allows the owner of an email domain to publish a policy about SPF and DKIM failures
•DMARC can be used to publish a feedback channel to let the domain owner know of spoofed mail from his domain
•the DMARC policy is stored in DNS
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DMARC
•example DMARC record
"v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]"
Protocol Version
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DMARC
•example DMARC record
"v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]"
Policy for organizational domain
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DMARC
•example DMARC record
"v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]"
Percentage of messages subjected to filtering
Wednesday 26 October 16
© Men & Mice http://menandmice,com
DMARC
•example DMARC record
"v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]"
Where to send the aggregated mis-use reports
Wednesday 26 October 16