Recommendations

Agenda

  1. Background
  2. SPF Flattening
  3. DomainKeys Identified Mail (DKIM)
  4. DMARC Reporting
  5. Recommendations

Background

Basic email relies heavily on the Domain Name System (DNS) with a simple email server for a domain that is easy for users to use and not penalised by anti-spam filters requiring most of: IP4 PTR, IP6 PTR, A, AAAA, MX, SRV, TLSA, CNAME, TXT (SPF DKIM DMARC google-postmaster)

This is further complicated if you also want to send emails for subdomains and want to allow emails for third-party systems to appear as your legitimate email.

“Email Authentication” that is often described as email security is a system reliant on DNS to let Internet mail servers know if mail originated from mail servers approved by you for your domains. It uses two special DNS records for the authentication and a third record type to support reporting.

  • SPF (Sender Policy Framework)
  • DKIM (DomainKeys Identified Mail)
  • DMARC (Domain-based Message Authentication Reporting & Conformance)

When an email passes either SPF or DKIM and aligns with the domain specified in the “From” header it can pass DMARC.

SPF Flattening

What are SPF Records?

SPF (Sender Policy Framework) records are DNS (Domain Name System) records that specify which mail servers are authorized to send emails on behalf of your domain. By configuring SPF records you help receiving mail servers verify that incoming emails from your domain are sent from authorized sources thereby reducing the risk of email spoofing.

How does SPF work?

When an email is sent the receiving mail server checks the SPF record of the sender’s domain to verify the IP address of the sending server. If the IP address is listed in the SPF record the email is considered legitimate. If not the email may be flagged as spam or rejected.

Why SPF is Important

  • Reduces Spam and Phishing: By ensuring only authorized servers can send emails from your domain, SPF helps mitigate spam and phishing attempts.
  • Protects Brand Reputation: Prevents attackers from using your domain to send fraudulent emails, thus protecting your brand’s reputation.
  • Improves Email Deliverability: Emails sent from authorized servers are less likely to be marked as spam, improving overall deliverability.

The Challenge of SPF Records

While SPF records are effective, they come with certain challenges:

  • DNS Lookup Limit: The SPF specification limits the number of DNS lookups to 10. If your SPF record requires more than 10 lookups it can lead to incomplete or invalid SPF records.
  • Complexity in Management: Managing SPF records can be complex, especially for organizations using multiple third-party services to send emails.

Common Methods to Beat the SPF 10 DNS Lookup Limit

  • Using Subdomains: Segment outbound mail onto specific subdomains (e.g., @marketing.example.com, @sales.example.com) to avoid hitting the 10 lookup limit.
  • SPF Macros: Use dynamic variables to create more concise and manageable SPF records.
  • SPF Flattening Service: Simplify SPF records by reducing the number of DNS lookups.

SPF Flattening

SPF flattening is a technique used to simplify SPF records by reducing the number of DNS lookups. This is achieved by preparing a single “flat” SPF built from the IP addresses found in all the multiple ‘include’ mechanisms and nested DNS lookups.

The Need for SPF Flattening

With the ever-increasing number of mail servers and service providers needing to appear in a company’s SPF record, there needs to be a way to allow companies to go beyond the 10 lookup limit when their particular mail infrastructure requires it.

How SPF Flattening Works

  1. Aggregate IP Addresses: Collect all IP addresses from the included domains.
  2. Create a Flat Record: Compile these IP addresses into a single SPF record minimizing DNS lookups.

Benefits of SPF Flattening

  • Reduced DNS Lookups: Helps stay within the 10 DNS lookup limit ensuring your SPF record is always valid.
  • Improved Performance: Faster DNS resolution and reduced risk of DNS timeout errors.
  • Simplified Management: Easier to manage and update SPF records especially for organizations with complex email infrastructures.

DomainKeys Identified Mail (DKIM)

What is DKIM?

DKIM is an email authentication method designed to detect forged sender addresses in emails, a common tactic used in phishing and email spoofing. DKIM allows the receiving email server to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain.

How does DKIM work?

  1. Signing Emails: When an email is sent from your domain, a private key is used to generate a unique digital signature. This signature is added to the email header.
  2. Verifying Signatures: The receiving server retrieves the corresponding public key from the DNS records of the sender’s domain. It then uses this public key to verify the digital signature. If the signature is valid, the email is considered authentic and untampered.

Why is DKIM Important?

  • Email Integrity: Ensures that the content of the email has not been altered in transit.
  • Authentication: Verifies that the email is indeed from the domain it claims to be from.
  • Reputation Building: Helps build the domain’s reputation with email providers, improving deliverability rates.

The Case for Multiple DKIM Records

  • Key Rotation: Regularly rotating DKIM keys enhances security by limiting the potential damage if a private key is compromised. Having multiple DKIM records allows for a smooth transition between keys.
  • Different Sending Sources: Organizations often use multiple email services (e.g., marketing platforms, transactional email services). Each of these services can use its own DKIM key, necessitating multiple DKIM records.
  • Gradual Key Rollout: When updating or changing DKIM keys, having multiple records allows for a phased rollout ensuring continuous email verification.

Guidance for DKIM

  • Aim to have all sending systems support and use DKIM.
  • Aim to have DKIM use at least 1024 or higher bit encryption key.
  • Make sure all emails are DKIM signed.
  • Know how to revoke any suspected compromised keys.
  • Ensure the DKIM TXT record is free of syntax errors.
  • Understand and use regular key rotation.
  • Set an expiration period for email signatures. Ensure it’s longer than the key rotation time to prevent DKIM failures.

DMARC Reporting

What is DMARC?

DMARC is an email authentication protocol that builds on SPF and DKIM. It allows domain owners to specify how their emails should be handled if they fail SPF or DKIM checks. Additionally, DMARC provides a mechanism for receiving feedback about email authentication, enabling domain owners to monitor and improve their email security. This feedback feeds DMARC Reporting.

How does DMARC work?

  1. Policy Definition: Domain owners publish a DMARC policy in their DNS records specifying how to handle emails that fail SPF and DKIM checks. The policy can be set to monitor (none), quarantine, or reject such emails.
  2. Alignment Checks: DMARC checks whether the domain in the “From” address matches the domains used in SPF and DKIM checks ensuring that the email is genuinely from the specified domain.
  3. Reporting: DMARC generates reports that provide insights into email authentication results and help identify potential issues.

Why DMARC is Important?

  • Prevents Email Spoofing: By specifying how to handle unauthenticated emails, DMARC helps prevent attackers from spoofing your domain.
  • Improves Email Deliverability: Authenticated emails are more likely to be delivered to the inbox rather than being marked as spam.
  • Provides Visibility: DMARC reports give you visibility into your email ecosystem, helping you identify and address authentication issues.

What are DMARC Reports?

DMARC reports provide detailed information about the emails sent from your domain, including the results of SPF and DKIM checks. There are two types of DMARC reports:

  • Aggregate Reports: Summarize email authentication results over a specified period, providing an overview of email traffic and any authentication failures.
  • Forensic Reports: Provide detailed information about individual emails that failed authentication checks, helping to diagnose specific issues.

Why DMARC Reports are Important?

  • Visibility into Email Traffic: Understand who is sending emails on behalf of your domain and how those emails are being authenticated.
  • Identify Authentication Issues: Quickly spot and resolve issues with your SPF, DKIM, or DMARC configurations.
  • Monitor for Abuse: Detect unauthorized use of your domain and take action to prevent email fraud.

What can we learn from DMARC Reports?

  • Authentication Results:
    • Pass/Fail Status: Determine whether emails appearing to come from you are passing or failing DMARC authentication checks.
    • Alignment: Check if SPF and DKIM align with the “From” domain.
  • Source of Emails:
    • Legitimate Senders: Identify authorized email senders (e.g., your company’s mail servers, third-party services).
    • Unauthorized Senders: Detect potential spoofing attempts or unauthorized sources sending emails on behalf of your domain.
  • Volume of Emails:
    • Email Traffic: Monitor the volume of emails being sent from your domain.
    • Trends: Identify trends and patterns in email authentication results over time.
  • Geographic Information:
    • Sender Locations: Determine the geographic locations of email senders, helping to identify potential sources of abuse.
  • Policy Enforcement:
    • Policy Impact: Assess the effectiveness of your DMARC policy and its impact on email deliverability.

Actions from DMARC Reports

  • Adjust Policies: Based on the report insights, fine-tune your DMARC policy to achieve the desired level of email security.
  • Investigate Failures: Examine forensic reports to diagnose and resolve specific authentication issues.
  • Engage with Senders: Work with legitimate email senders to ensure their emails comply with your authentication requirements.

Recommendations

SPF

  1. SPF Flattening Service: Implement an SPF flattening service to simplify your SPF records and stay within the 10 DNS lookup limit. This ensures your SPF record remains valid and effective.
  2. Necessary Updates: Be sure to update your SPF records to reflect changes in your email infrastructure, such as new mail servers or third-party services.
  3. Monitoring and Auditing: Continuously monitor the SPF data in DMARC reprots and resolve any issues promptly.

DKIM

  1. Implement DKIM for All Email Sources: Ensure that all email sources, including third-party services, support and use DKIM.
  2. Regular Key Rotation: Implement a regular key rotation schedule to enhance security and limit potential damage if a key is compromised.
  3. Signature Expiration Management: Set appropriate expiration periods for email signatures to prevent DKIM failures during key rotations.

DMARC

  1. Implement a Strict DMARC Policy: Implement a strict DMARC policy (e.g., quarantine or reject) to prevent unauthorised use of your domain and improve email security.
  2. Enable DMARC Reporting: Enable DMARC reporting to gain visibility into your email authentication results and monitor for potential issues.
  3. Regular Review and Adjustment: Regularly review your DMARC reports and adjust your policies and configurations based on the insights gained.

Postmasters

  1. Regular checks of Reputation and Blocklists like Spamhaus: link
  2. Signup for google postmaster tools: link

Overall

  1. Ongoing Monitoring: Continuously monitor your email authentication mechanisms (SPF, DKIM, DMARC) to identify and resolve any issues promptly.
  2. Stay Informed: Stay informed about the latest developments in email authentication and security to ensure your email infrastructure remains secure and up-to-date.
  3. Engage with Experts: Consider engaging with email security experts to assist with the implementation, monitoring, and optimization of your email authentication mechanisms.

Conclusion

By implementing the recommendations outlined in this page, YOU can significantly enhance your email security, protect your brand reputation, and improve email deliverability. SPF flattening, DKIM implementation, and DMARC reporting are critical components of a robust email authentication strategy that will help safeguard your domain from email spoofing and other malicious activities.