© Men & Mice http://menandmice,com

SPF, DKIM and DMARC

Mail-Reputation and DNS

Wednesday 26 October 16

© Men & Mice http://menandmice,com

Sender Policy Framework

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF

•Sender Policy Framework (SPF) defines the addresses mails can be originated for a given domain

•this information is stored in it’s own SPF-Format inside a TXT-Record

• there has been a dedicated SPF record type, that has been deprecated because it was ignored by Mail- and DNS-admins

•Website: http://www.openspf.org

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF-Example

•the Google SPF-Record

google.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all"

Mail-Sender Domain

SPF-FormatVersion

Include SPF-Information from

subdomain

Soft-Fail SPF-Checks

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF-Example

•the Google SPF-Record

_spf.google.com. 299 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

Includes of Google Network Blocks

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF-Example

•the Google SPF-Record

_spf.google.com. 299 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

Includes of Google Network Blocks

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF-Example

•the Google SPF-Record

_netblocks.google.com. 3600 IN TXT "v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"

Google Mail-Sending addresses

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF-Operation

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

sending mailon port 25

from 192.0.2.123

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF-Operation

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

sending mailon port 25

from 192.0.2.123

looking up SPF-Recordfor “example.com”

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF-Operation

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

sending mailon port 25

from 192.0.2.123

example.com IN TXT “v=spf1 ipv4:192.0.2.0/24 -all”

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF-Operation

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

sending mailon port 25

from 192.0.2.123

check if sending address is within SPF-

Data

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF-Operation

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

mail has been received

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF issues

•SPF is problematic with some mail functions where mail is send indirectly

•mail-forwarding

•mailing lists

•webforms - http://bsdly.blogspot.nl/2016/10/is-spf-simply-too-hard-for-application.html

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

mailing-listserver

sending mail from user@example.com

on port 25from 192.0.2.123

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

mailing-listserver

sending mail from user@example.com

on port 25from 203.0.113.23

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

mailing-listserver

sending mail from user@example.com

on port 25from 203.0.113.23

looking up SPF-Recordfor “example.com”

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

mailing-listserver

sending mail from user@example.com

on port 25from 203.0.113.23

example.com IN TXT “v=spf1 ipv4:192.0.2.0/24 -all”

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

mailing-listserver

sending mail from user@example.com

on port 25from 203.0.113.23

check if sending address is within SPF-

Data

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

mailing-listserver

sending mail from user@example.com

on port 25from 203.0.113.23

mail rejected, as the sender IP does not

appear in the SPF data

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

mailing-listserver

sending mail from user@example.com

on port 25from 203.0.113.23

mail rejected, as the sender IP does not

appear in the SPF data

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIMDomainKeys Identified Mail

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM

• DKIM cryptographically signs selected mail headers and the mail content

• DKIM is used to validate the mail message content but not to secure the transport path

• No upgrade to User Client (Client E-Mail program) needed

• But E-Mail Clients can offer per-User signing, as an option

• DKIM Management can be “outsourced” (ISP, E-Mail Hosting Provider)

• No PKI Infrastructure needed, only depends on DNS

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM

• DKIM Website

• http://dkim.org/

• Documents

• RFC 5585 - DomainKeys Identified Mail (DKIM) Service Overviewhttps://tools.ietf.org/html/rfc5585

• RFC 6376 - DomainKeys Identified Mail (DKIM) Signatureshttps://tools.ietf.org/html/rfc6376

• RFC 5863 - DomainKeys Identified Mail (DKIM) Development, Deployment, and Operationshttps://tools.ietf.org/html/rfc5863

• RFC 5617 - DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP)https://tools.ietf.org/html/rfc5617

• RFC 6377 - DomainKeys Identified Mail (DKIM) and Mailing Listshttps://tools.ietf.org/html/rfc6377

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM Signature in the Mail Header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]

DKIM Version

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM Signature in the Mail Header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]

DKIM Signing

Algorithm

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM Signature in the Mail Header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]

canonicalization algorithm: "relaxed" algorithm that tolerates common

modifications such as whitespace replacement and header field line rewrapping

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM Signature in the Mail Header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]

Domain of the sending party, this is where the public key to verify the signature is located

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM Signature in the Mail Header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]

Subdomain selector: will pre prepended to the domain to fetch the DKIM public key

Wednesday 26 October 16

© Men & Mice http://menandmice,com

Fetching the DKIM key

•The DKIM public key can be found inside a TXT record at a domain name build from

• selector

• subdomain “_domainkey”

• base mail domain (d: field)

$ dig selector1-menandmice-com._domainkey.mennogmys.onmicrosoft.com TXT +short"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDenG16IONFpDPACAhDnCd/N98W277rSbwSoatar767pSYtT+CClFqhmEePynSVGdS0RxIjFZscmVN5RZjnfD+HE1HL4XvUtxnnb1j0PeNfhrDHy7BHFGux6exfL7/splByKu7qhLBP10+SyAjiE4Qc6xWfCQ3MzmECZGW/CzzmOQIDAQAB; n=1024,1450909615,1"

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM Signature in the Mail Header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]

Header-Fields signed by the sending party

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM Signature in the Mail Header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]

Body-Hash: Hash of the message body

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM Signature in the Mail Header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mennogmys.onmicrosoft.com; s=selector1-menandmice-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rk04UQbu8aZGogweVSHLqo55rIPXR0OajjGVpZOcEic=; b=cVQyry/E2yMiV9qUZbth0Y51r5OoWoHPr0qYklZYGvc6/[...]

Signature over header fields and Body-Hash

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM operation

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

mailforwarder

mail get signed with “example.com” private

DKIM key

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DKIM operation

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

mailforwarder

sending mail from user@example.com

on port 25from 192.0.2.123

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

sending mail from user@example.com

on port 25from 203.0.113.23

mailforwarder

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

sending mail from user@example.com

on port 25from 203.0.113.23

looking up DKIM public keyfor “example.com”

mailforwarder

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

sending mail from user@example.com

on port 25from 203.0.113.23

_domainkeys.example.com IN TXT “v=DKIM1; k=rsa; p=MIG[...]”

mailforwarder

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

sending mail from user@example.com

on port 25from 203.0.113.23

validating DKIM signed headers and

body

mailforwarder

Wednesday 26 October 16

© Men & Mice http://menandmice,com

SPF problem with forwarding

example.comauthoritative

DNS

example.comoutgoingmail

receiving mail server

mailing-listserver

mail has been received

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DMARCDomain-based Message Authentication,

Reporting & Conformance

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DMARC

•DMARC builds on top of SPF and DKIM

• it allows the owner of an email domain to publish a policy about SPF and DKIM failures

•DMARC can be used to publish a feedback channel to let the domain owner know of spoofed mail from his domain

•the DMARC policy is stored in DNS

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DMARC

•example DMARC record

"v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@example.com"

Protocol Version

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DMARC

•example DMARC record

"v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@example.com"

Policy for organizational domain

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DMARC

•example DMARC record

"v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@example.com"

Percentage of messages subjected to filtering

Wednesday 26 October 16

© Men & Mice http://menandmice,com

DMARC

•example DMARC record

"v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@example.com"

Where to send the aggregated mis-use reports

Wednesday 26 October 16