Outgoing Email Protection
There are some tools that can improve the protection of e-mail sent to external clients outside of an organization. There are three main ones: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Authentication, Reporting and Conformance (DMARC). Let’s see what these three tools are.
The SPF is a TXT record added to the DNS server that simply lists addresses or ranges of IP addresses with permission to send e-mails for a specific domain. When this is in place, it ensures recipients that an email from a certain domain was indeed sent from an IP address authorized to send e-mails on behalf of the domain in question. It thus becomes difficult for an attacker to send an email from an IP address that is not part of the addresses listed in the DNS field of the domain protected by SPF without the email being automatically identified as spam. Here is an example:
Nslookup -type = TXT domain.com Domain.com text = "v = spf1 ip4: xxx.xxx.xxx.xxx/xx a -all"
v = SPF version used ip4: xxx.xxx.xxx.xxx/xx
a = address or group of addresses pointing to the authorized SMTP server
-all = indicates that if the above-mentioned mechanisms are not met, the email should be rejected.
The DKIM, on the other hand, is a mechanism to ensure that the content of an e-mail message has not been altered since it left the e-mail server. This verification is ensured by the establishment of a public and private key system. Again, it is through an addition in the DNS server configurations that this measure is implemented. The owner adds an entry with a DKIM public key to be used by the recipients to ensure that the DKIM signature is genuine, while on the server side the e-mails will be signed with the corresponding private key.
The third tool, DMARC, adds an additional validation to the two other tools described above. DMARC is a system of information exchange between the sender and the recipient. The sender, again through its DNS server, makes some policies available to the recipients. These policies dictate what to do with an email that does not authenticate correctly with respect to SPF and/or DKIM. For example, it might prescribe to let the email go, quarantine it or simply reject it. Here is an example of a DMARC policy:
"v = DMARC1; p = reject; pct = 100; rua = mailto: email@example.com"
v = the version of the DMARC protocol used
p = the policy of the organization
pct = the percentage of e-mails subject to the filtering mechanism, here 100%
rua = email address for sending aggregated reports
While these tools can help reduce spam problems, they are not 100% effective. They all have their limitations. For example, DKIM does not warrant that the sender has permission to send e-mails with a given domain. SPF is not very useful in cases where the hosts are shared and where all e-mails seem to come from the same IP address. DMARC is not yet implemented everywhere and can cause some trouble when it is not configured correctly.
References: Http://blog.endpoint.com/2014/04/spf-dkim-and-dmarc-brief-explanation.html Https://dmarc.org/overview/
Note: ** Set up by default in Office 365, but requires configurations for secondary domains or to use its own domain key entries.
David-Alexandre Alarie, CEH, CSX
Jonathan Roy, MCP, GWAPT