Setting up DKIM/SPF/DMARC records or defend yourself from spoofing

Started by Inetscope, Jul 29, 2022, 01:28 AM

Previous topic - Next topic

InetscopeTopic starter



1. DKIM

DKIM (DomainKeys Identified Mail) is an e-mail authentication method based on digital signature verification. The public key is stored in the TXT record of the domain.

why is it needed?



DKIM is required so that email services can check whether the sender is legitimate or not. Those. protects the recipient of the letter from various fraudulent letters (which are sent with the substitution of the sender's address).

Configuring DKIM Signatures and DNS Records

To do this, we need to create a key pair:

openssl genrsa -out private.pem 1024 //generate a private key of length 1024


openssl rsa -pubout -in private.pem -out public.pem //get public key from private


Or you can use an online service, which I strongly recommend against.


Next, you need to specify the path with the secret key in the configuration file (for this it is better to read the documentation) of the mail server and the public key in DNS.

An example of entries is
mail._domainkey.your.tld TXT "v=DKIM1; k=rsa; t=s; p=<public key>"

where
mail is a selector. You can specify various entries with different selectors, where each entry will have its own key. Used when multiple servers are involved. (each server has its own key)
v — version of DKIM, always takes the value v=DKIM1. (required argument)
k — key type, always k=rsa. (at least for now)
p is the base64 encoded public key. (required argument)
t - Flags:
t=y — testing mode. These are different from unsigned ones and are only needed to track results.
t=s means that the entry will only be used for the domain the entry belongs to, not recommended if subdomains are used.
possible:
h - preferred hash algorithm, can take the values h=sha1 and h=sha256
s - Type of service using DKIM. Accepts the values s=email (e-mail) and s=* (all services) The default is "*".
; - separator.

It is also worth registering an ADSP record that allows you to understand whether the letter must be signed or not.
_adsp._domainkey.example.com. TXT "dkim=all"

There can be three values:
all — All letters must be signed
discardable - Do not accept letters without a signature
unknown - Unknown (which, in fact, is similar to the absence of an entry)


2.SPF

SPF (Sender Policy Framework) is an add-on for the protocol for sending email via SMTP. SPF is defined in RFC 7208 (Wiki). In simple terms, SPF is a mechanism for message verification, by checking the sender's server. As for me, this technology is useful in conjunction with others (DKIM and DMARC)

Setting up SPF records

An example of a typical SPF record is your.tld. TXT "v=spf1 a mx ~all"
Here:
v=spf1 is the version, always spf1
a - allows sending emails from the address specified in the A and/or AAAA record of the sender's domain
mx - allows sending emails from the address specified in the domain's mx record
(for a and mx, you can also specify another domain, for example, if the value is a:example.com, it will be allowed to write not the sender's domain, but example.com)
You can also add individual ip addresses using ip4: and ip6:. For example, ip4:1.1.1.1 ip6: 2001:0DB8:AA10:0001:0000:0000:0000:00FB. There is also include: (include:spf.example.com), which allows you to additionally include spf records from another domain. All this can be combined through a space. If you just need to use a record from another domain without adding it, then it's best to use redirect: (redirect:spf.example.com)
-all - means what will happen to letter that do not comply with the policy: "-" - reject, "+" - skip, "~" - additional checks, "?" - neutral.

3.DMARC

Domain-based Message Authentication, Reporting and Conformance (letter identification, reporting and domain name matching) or DMARC is a technical specification created by a group of organizations designed to reduce the number of spam and phishing emails based on the identification of sender email domains on based on the rules and characteristics specified on the recipient's mail server (Wiki). That is, the mail server itself decides whether the letter is good or bad (for example, based on the policies above) and acts according to the DMARC record.


Configuring DMARC Records

A typical entry looks like this: _dmarc.your.tld TXT "v=DMARC1; p=none; rua=mailto:postmaster@your.tld"
It does not take any action other than preparing and sending the report.

Now more about tags:
v — version, takes the value v=DMARC1 (mandatory parameter)
p is the rule for the domain. (Required parameter) Can take the values none, quarantine and reject, where
p=none does nothing but prepare reports
p=quarantine adds email to SPAM
p=reject rejects the letter
The sp tag is responsible for subdomains and takes the same values as p
aspf and adkim allow record matching and can take the values r and s, where r is a relaxed, softer check than s is strict.
pct is responsible for the number of emails to be filtered, specified as a percentage, for example, pct=20 will filter 20% of emails.
rua - allows you to send daily reports to email, example: rua=mailto:postmaster@your.tld, you can also specify several emails separated by a space (rua=mailto:postmaster@your.tld mailto:dmarc@your.tld)


ruf — email reports that didn't pass the DMARC check. Everything else is the same as above.

Epilogue

We have learned how to configure DKIM/SPF/DMARC and resist spoofing. Regrettably, this does not guarantee security in case the server is hаcked or emails are sent to servers that do not support these technologies. Fortunately, popular services still support them (and some are the initiators of these policies).

This story is only an instruction for self-configuring records, a kind of documentation. There are no ready-made examples intentionally, because each server is unique and requires its own configuration.

I will be glad to useful criticism and corrections.
  •  

maxikk

This is a kind of checklist for those who understand). Now I know how to generate DKIM by myself.
One remark: ADSP is preferred not to use. This standard has sunk into oblivion, and the authors themselves recommend not to use it.

DKIM, SPF, DMARK - that's all you need.
Sometimes I notice that some domains have multiple SPF records. There can be only one SPF record for a domain.
Do not use "spf2.0" - this is an obsolete standard.
To check the validity of SPF, there are many services, for example, here.
  •  

jamesanderson11

Do you often wonder if implementing DKIM is enough? The answer is no. Although DKIM helps you encrypt email messages with a cryptographic signature to confirm the legitimacy of your senders, it does not provide a way that the recipient of the email can respond to messages that do not work with DKIM. DMARC comes to the rescue here.

Domain-Based Message Authentication, Reporting and Compliance (DMARC) is an email authentication protocol that helps domain owners take action against messages that have not passed SPF/DKIM authentication.
That, in turn, minimizes the chances of domain and BEC spoofing attacks. DMARC, together with SPF and DKIM, can improve email delivery by 10% over time and increase the reputation of your domain name.
  •