O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

What You Need to Know About Email Authentication

2.888 visualizações

Publicada em

Slide deck presented at #VelocityConf 2015 in Santa Clara on 2015-05-27

Publicada em: Tecnologia
  • Seja o primeiro a comentar

What You Need to Know About Email Authentication

  1. 1. What You Should Know About Email Authentication Kurt Andersen LinkedIn Site Reliability @DrKurtA
  2. 2. @DrKurtA Introduction - Kurt Andersen  Email in the days of Bitnet/DECnet/usenet/etc. gateways  Early work on hypertext for internal reference system at JPL’s Image Processing Laboratory  Instigator for the PERL common database access framework: DBI/DBD  Early web work, bringing several organizations on line in 1994-1996  Worked on early versions of SpamAssassin, contributed to Postfix and the initial SPF specification  Active contributor to M3AAWG since 2007, currently on the board of directors and co-chair of the program committee  Active with IETF standards efforts: SPFbis, DMARC, DBOUND
  3. 3. @DrKurtA Audience Check What brings you to this session?
  4. 4. @DrKurtA Roadmap  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  5. 5. @DrKurtA JustHowBigIsThisThing? 2 This is really big. Lots of people have been trying to fix this thing for a long time. ..and it’s actually changing!
  6. 6. @DrKurtA Why Is This Important?  Email is still alive and well - Large: 80B consumer emails/day, 91% check email daily - Growing: 3.9 Billion active email boxes => 4.9 Bn by 2017 - Preferred: 74% consumers prefer email for commercial communications - Popular: 82% of consumers sign up for email programs on websites  Email is highly effective - High open rates: 82% of consumers open marketing email - Effective: 66% of consumers buy online due to email - Efficient: Email marketing has an ROI of 4300%
  7. 7. @DrKurtA Email Attacks  84% of all email is spam/phish  Despite best efforts, 100M Phishing messages get through every day - 95% of all cyberattacks occur through phishing  Phishing harms consumers and brands - Daily barrage of email based attacks costing brands $70 b/year - 42% of consumers are less likely to buy from brands following an email attack
  8. 8. @DrKurtA Domain Authentication Helps Receivers  It makes it easier to know where the mail is really coming from  Stable basis for accumulating reputation - The only people who don’t want to accrue reputation are the people you don’t want email from anyway  Necessary to deal with the shift from IPv4 to IPv6
  9. 9. @DrKurtA Domain Authentication Helps Senders  It keeps your mail out of the trash (assuming that it is good )  Keeps your real mail distinct from fraudulent uses of your domain  Consider it the domain equivalent of defending your brand
  10. 10. @DrKurtA A Tale of Two Cities  Email standards – IETF RFCs govern how servers talk to each other - 5321 – envelope - 5322 – message (and others for MIME, etc.) - Various RFCs for authentication protocols - MTA “rules of the road”  MUA – how are messages presented to people - No standards - Some user interface optimizations - Little real research toward usable security
  11. 11. @DrKurtA Background and Context  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  12. 12. @DrKurtA Challenges of Email Authentication  There’s a reason that SMTP starts with the word:
  13. 13. @DrKurtA Message Sender Message Receiver Notes TCP connect on port 25 Standard 3-way handshake 220 testhost.localdomain ESMTP Postfix Connection banner EHLO test.example.com 250-testhost.localdomain 250-SIZE 10485760250 250 DSN Receiver announces capabilities (EHLO) or just “OK” (HELO) MAIL FROM: <someone@example.com> 250 2.1.0 Ok Envelope sender RCPT TO: <someone_else@example.org> 250 2.1.5 Ok Envelope recipient DATA 354 End data with <CR><LF>.<CR><LF> <message with headers goes here> Message . 250 2.0.0 Ok: queued as 0FC77B8BEDC End of message QUIT 221 2.0.0 Bye Connection closed receiver
  14. 14. @DrKurtA Designed by Analogy to Physical Letters But who is it “from”?
  15. 15. @DrKurtA Email: Envelope + Headers + Content
  16. 16. @DrKurtA Connecting the Analogy Snail Mail Email Ifs, Ands & Buts Postmark • IP address of connection • PTR record (sometimes called rDNS) • HELO name • Cost of admission • Frequently required • sometimes with FCrDNS too • Often unrelated to anything Envelope From aka “Mail From”/ “MFrom” / “5321.From” • Becomes the “Return-Path” header • Named from RFC5321 which defines the envelope for email • Usually null for system messages Envelope To aka “Rcpt To” / “Recipient” / “5321.To” Used for delivery, but not seen by recipient Letter From aka “Header From” / “HFrom” / “5322.From” • Display Name – seen, free text • Email Address – often unseen Letter To aka “Header To” / “Recipient” / “5322.To” optional Signature none
  17. 17. @DrKurtA First Axiom of Email Reputation You cannot say good things about yourself, only neutral or bad things. – John Levine
  18. 18. @DrKurtA SPF  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  19. 19. @DrKurtA Where does “me.example” mail come from?  Sender Policy Framework, aka, SPF  RFC 7208  ADMD (ADministrative Management Domain) assertion about the source(s) of email for a domain  Published in DNS as a TXT record
  20. 20. @DrKurtA What does SPF check? Snail Mail Email Ifs, Ands & Buts Postmark • IP address of connection • PTR record (sometimes called rDNS) • HELO name • Cost of admission • Frequently required • sometimes with FCrDNS too • Often unrelated to anything Envelope From aka “Mail From”/ “MFrom” / “5321.From” • Becomes the “Return-Path” header • Named from RFC5321 which defines the envelope for email • Usually null for system messages Envelope To aka “Rcpt To” / “Recipient” / “5321.To” Used for delivery, but not seen by recipient Letter From aka “Header From” / “HFrom” / “5322.From” • Display Name – seen, free text • Email Address – often unseen Letter To aka “Header To” / “Recipient” / “5322.To” optional Signature none
  21. 21. @DrKurtA Particulars of an SPF record  v=spf1 {list of qualifiers + mechanisms}  Qualifiers:  Mechanisms: + PASS (default) – HARD FAIL ? NEUTRAL ~ SOFT FAIL ip4 ip6 a mx all exists include redirect ptr (deprecated)
  22. 22. @DrKurtA SPF Macros  Allows mechanism definition based on IP or various parts of the 5321.From (MFrom) address  Not all receivers support all macros which are defined in the spec  Some receivers ignore macro-laden expressions  Use with care
  23. 23. @DrKurtA SPF Record Example for “me.example” v=spf1 ip4:1.2.3.4 ip4:6.7.8.0/24 a ~all
  24. 24. @DrKurtA Evaluating SPF  Starting with the domain of the 5321.From (MFrom), look up the TXT record for that domain to find the SPF record - If 5321.From is empty, use the domain listed in the HELO/EHLO identity  If there is no record, the result is NEUTRAL  If there is an SPF record, test each mechanism from left to right stopping after a match is found - The qualifier determines the result of the match - Most SPF records end with “–all” or “~all” to provide an unambiguous result
  25. 25. @DrKurtA SPF Record Example for “me.example” v=spf1 ip4:1.2.3.4 ip4:6.7.8.0/24 a ~all
  26. 26. @DrKurtA SPF and Third Parties  A domain owner can authorize third party sources with “include” But… - SPF does not support intermediaries in the delivery process - Intermediaries account for ~5% of email received at several large mailbox providers
  27. 27. @DrKurtA SPF Gotchas  DNS lookups, including embedded “include:” are limited to 10 queries - Put non-DNS mechanisms first and put highest volume sources first  Use “~all” instead of “–all”, because some people on the internet will drop email if SPF fails and “–all” is in place.  Record length can oddly matter. Try to fit SPF into a UDP packet (~500 bytes).
  28. 28. @DrKurtA More SPF Gotchas  DNS time-to-live (TTL) will affect how quickly changes can be made  Publish SPF records for sub-domains (or use wildcards) - SPF does not “discover” SPF records if they’re not present  Use tools to check your SPF record - Tools separate humans from most other creatures. - Safe to say: Smart creatures use tools.  Be careful what you “include” – other records may be broken or wrong
  29. 29. @DrKurtA SPF Q&A  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  30. 30. @DrKurtA DKIM . . .  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  31. 31. @DrKurtA What is DKIM and what does it do?  DKIM == Domain Keys Internet Mail  Public key crypto to sign a message: body + selected headers by an ADMD  Private key held by the ADMD  Public key published in DNS by the ADMD based on a “selector”
  32. 32. @DrKurtA Sample DKIM Signature DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoogroups.com; s=echoe; t=1393079384; bh=kmukFXBXZ2LCalggiEXX2pc4h9ESv+STtGxZ/NFuN+k=; h=Received: Received:X-Yahoo-Newman-Id:X-Sender:X-Apparently-To: X-Received:X- Received:X-Received:X-Received:X-Received: X-Received:X-Received:X- Received:X-YMail-OSG:X-Received: X-Rocket-MIMEInfo:X-Mailer:Message- ID:To:X-Originating-IP: X-eGroups-Msg-Info:From:X-Yahoo-Profile: Sender:MIME-Version: Mailing-List:Delivered-To:List-Id:Precedence: List-Unsubscribe:Date:Subject:Reply-To: X-Yahoo-Newman-Property: Content-Type; b=5KWzHV7YzWaUURDQW/MKelqHkdy8V/ube+c2P8+c4yX+CFKHPsk9j76G 3Yt25L7DQLU3djFacfVbdZdxz/Y41TmNcq4FVXZ23ZC42m9Ku6AN3uSxLG Jm9KbrQ5/P2+pvaJHC NwecnPm1P+EiYu3qsY1FCywYTJ4GxGpkqBKRFfg=
  33. 33. @DrKurtA Finding the DNS record for DKIM  Look for a TXT record at <s=>._domainkey.<d=> $dig txt echoe._domainkey.yahoogroups.com +short "k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmsJgfzmZfV10FE 4jZ9NAX62SchSffsRHR/ng8TfS8YT33pdMMcUgthGXCw+n7xZOYyYvbII2OemMv 0quJLUZfJFfJj2QSwI49qO3K04cUv0pNFt3/ugWzKl65Hgx1pLAoux5hdtJAmUJ KM+kaaLaG6nR/qJT2iALWAGqoB2UhOQIDAQAB"
  34. 34. @DrKurtA What does DKIM check? Snail Mail Email Ifs, Ands & Buts Postmark • IP address of connection • PTR record (sometimes called rDNS) • HELO name • Cost of admission • Frequently required • sometimes with FCrDNS too • Often unrelated to anything Envelope From aka “Mail From”/ “MFrom” / “5321.From” • Becomes the “Return-Path” header • Named from RFC5321 which defines the envelope for email • Usually null for system messages Envelope To aka “Rcpt To” / “Recipient” / “5321.To” Used for delivery, but not seen by recipient Letter From aka “Header From” / “HFrom” / “5322.From” • Display Name – seen, free text • Email Address – often unseen Letter To aka “Header To” / “Recipient” / “5322.To” optional Signature none DKIM – sort of
  35. 35. @DrKurtA DKIM and Third Parties  A domain owner can authorize third party sources several ways - providing private keys to trusted third parties - publishing the public keys from trusted third parties - delegating (sub)domains to trusted third parties - either full delegation or - via CNAME or DNAME assignment mechanisms But… - Don’t use the same key across all of your subdomains
  36. 36. @DrKurtA DKIM Gotchas  Weak Keys: 1024 bits is the minimum acceptable strength at this time  Typos in DNS records  DKIM does not work everywhere - Implementation bugs - Gateways that break the signatures
  37. 37. @DrKurtA DKIM Best Practices  Key rotation: Essential to good security - Rotate all keys at least twice a year  Automate Everything! - Far less chance of errors - “Push a button” to rotate keys if keys get compromised - Automate everything includes: - Key generation, publication, rotation – inhouse and outsourced
  38. 38. @DrKurtA DKIM Q&A  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  39. 39. @DrKurtA DMARC . . .  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  40. 40. @DrKurtA What is DMARC?  DMARC = Domain-based Message Authentication, Reporting, and Conformance - Authentication – Leverage existing technology (DKIM and SPF) - Reporting – Gain visibility with aggregate and per-failure reports - Conformance – Standardize identifiers, provide flexible policy actions  RFC7489 (Informational)
  41. 41. @DrKurtA How DMARC works. . .  Starting from the 5322.From (HFrom) domain - look up the TXT record for _dmarc.<domain> - if that does not exist, lookup _dmarc.<org domain>  Check for authentication success + alignment (HFrom domain): A. If the SPF result was “PASS” and the SPF domain matches B. If any of the DKIM signatures validate and the DKIM domain matches  If (A or B), then DMARC  PASS, else DMARC  FAIL and the resulting action is based on the DMARC record
  42. 42. @DrKurtA Basics of the DMARC record $ dig txt _dmarc.yahoogroups.com +short "v=DMARC1; p=none; pct=100; rua=mailto:dmarc- yahoo-rua@yahoo-inc.com;” $ dig txt _dmarc.paypal.com +short "v=DMARC1; p=reject; rua=mailto:d@rua.agari.com; ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari. com v  version p  policy sp  subdomain policy pct  apply to X% of mail (defaults to 100%) rua  Reporting URI for Aggregate reports ruf  Reporting URI for Failure reports Lesser use: adkim, aspf  alignment policy for DKIM, SPF (defaults to “relaxed”)
  43. 43. @DrKurtA What is an “Organizational Domain”? For more information see:  PublicSuffix.org and  the IETF DBOUND working group From Domain Organizational Domain host.a.b.c.example.com example.com ses.amazon.co.uk amazon.co.uk a13-14.smtp- out.amazonses.com amazonses.com www.perkins.pvt.k12.ma.us perkins.pvt.k12.ma.us
  44. 44. @DrKurtA What do the three DMARC policies mean? none quarantine reject local policy
  45. 45. @DrKurtA What does DMARC verify? Snail Mail Email Ifs, Ands & Buts Postmark • IP address of connection • PTR record (sometimes called rDNS) • HELO name • Cost of admission • Frequently required • sometimes with FCrDNS too • Often unrelated to anything Envelope From aka “Mail From”/ “MFrom” / “5321.From” • Becomes the “Return-Path” header • Named from RFC5321 which defines the envelope for email • Usually null for system messages Envelope To aka “Rcpt To” / “Recipient” / “5321.To” Used for delivery, but not seen by recipient Letter From aka “Header From” / “HFrom” / “5322.From” • Display Name – seen, free text • Email Address – often unseen Letter To aka “Header To” / “Recipient” / “5322.To” optional Signature none DKIM domain
  46. 46. @DrKurtA The Cousin Domain Problem  Look-alike or look-similar domains: bankofamerica.com vs. banckofamerica.com linkedIn.com vs. linkedln.com (first one is linkedIn)  Unicode trickery: “Joe User” <jοe@google.cοm>  Puny-code trickery: alice@岍岊岊岅岉岎.com (many MUAs will display alice@xn--citibank.com)  DMARC only protects exact matches (or subdomains thereof)
  47. 47. @DrKurtA DMARC Reporting – Aggregate Reports (rua) • Each report covers one 5322.From domain • You should get one from each supporting mailbox provider that sees email with your From domain • Daily by default XML Format • Organized by sending IP address (as seen by receiver!) • Contains • Authentication Results (DKIM, SPF) • Alignment Results • Policy actions taken • Reasons for not taking policy actions Just publish a “p=none” record to start receiving these
  48. 48. @DrKurtA DMARC Spec – Reporting XML Format The policy that was found by the receiver: <policy_published> <domain>facebookmail.com</domain> <adkim>r</adkim> <aspf>r</aspf> <p>reject</p> <sp>none</sp> <pct>100</pct> </policy_published>
  49. 49. @DrKurtA DMARC Reporting <record> <row> <source_ip>106.10.148.108</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>facebookmail.com</header_from> </identifiers> <auth_results> <dkim> <domain>facebookmail.com</domain> <result>pass</result> </dkim> <spf> <domain>NULL</domain> <result>none</result> </spf> </auth_results> </record> XML Format An example record
  50. 50. @DrKurtA DMARC Reporting – Failure Reports (ruf) • One per DMARC failure • AFRF or IODEF formats • Should at least include ‘call-to-action’ URIs • Throttling • Privacy considerations • Might be redacted • May not be supported by all receivers that otherwise support DMARC
  51. 51. @DrKurtA Making sense of DMARC reports  Do It Yourself - Various open source tools and libraries are available  Outsource - Various vendors are available  For more specifics, consult http://dmarc.org/resources
  52. 52. @DrKurtA DMARC Gotchas  DMARC relies on SPF and DKIM – if those aren’t done right, DMARC will not work either  Separate your employee mail stream from your product mail stream (use different domains so you can have different policies)  If you delegate a domain, watch out for vendors over-riding your top-level policies  Expect to find mail streams that you did not know about!
  53. 53. @DrKurtA DMARC Q&A  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  54. 54. @DrKurtA Protecting “me.example”. . .  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  55. 55. @DrKurtA Protecting Content From Prying (5)Eyes  Invest in properly configured TLS - Email is an interface to your company and product just as much as your website - Use certificates signed by reputable CAs or DANE, not self-signed ones - Make sure your cipher suite list disallows weak and compromised ciphers - Implement all of the appropriate security controls to prevent downgrade attacks
  56. 56. @DrKurtA The Achilles Heel of the Internet  DNS  Built on trust, just like SMTP was  In an untrustworthy world – security is critical - Invest in understanding DNSSEC to make an informed decision for your domain(s) - Invest in understanding DANE – an alternative to 3rd party CAs http://www.internetsociety.org/deploy360/start/
  57. 57. @DrKurtA Protecting “me.example”. . .  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  58. 58. @DrKurtA Protecting Parked or No Email Domains No mail is sent from this domain - SPF: v=spf1 -all No mail is received by this domain - “Null” MX: “MX 0 .” But tell me about any attempts to abuse this domain - DMARC: v=DMARC1; p=reject; rua=report@example.com  Example: gmail.co (Columbian TLD mis-spelling for gmail.com): - v=spf1 -all - v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com
  59. 59. @DrKurtA Protecting “me.example”. . .  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  60. 60. @DrKurtA Reporting and Compliance For Domain Owners
  61. 61. @DrKurtA Initial Record Publishing Everyone’s first DMARC record: v=DMARC1; p=none; rua=mailto:aggregate@example.com;
  62. 62. @DrKurtA 3rd Party Deployment Profiles Controlled – The Domain Owner fully controls their own DNS, and wants as much control over their email as possible. Authorized – The Domain Owner lets the 3rd party dictate the content of some DNS records, while still retaining some operational control. Delegated – The Domain Owner delegates control of some or all of their DNS to a 3rd party, and wants to be mostly hands-off with their email. Hosted – The Domain Owner allows the 3rd party to handle everything, and has little control
  63. 63. @DrKurtA 3rd Party Deployment Profiles – Controlled The Domain Owner retains control of the domain or subdomain, provides DKIM signing key(s) to 3rd party/ies and publishes the public key(s), and includes the appropriate information in their SPF record. Pro • This scenario allows 3rd parties to send as the organizational domain if desired • The Domain Owner retains operational control Cons • Coordination between the domain owner and the 3rd party mailer(s) is required to ensure proper DKIM key rotation, accurate SPF records, etc. • Risk of coordination overhead/issues increases as the number of bilateral relationships increase for domain owners and vendors.
  64. 64. @DrKurtA Contractual points: • Process for DKIM key rotation. Obligations of each party, including testing • SPF record requirements and process for adding new hosts 3rd Party Deployment Profiles – Controlled
  65. 65. @DrKurtA Similar to Controlled Profile, except the 3rd party creates the DKIM key pair(s) and generally takes a more active role in dictating record content. This approach is useful for Domain Owners where a different 3rd party is providing DNS and other services for the domain. Pros • Can streamline provisioning for the 3rd party (but only the first one!) • One less task for the Domain Owner Cons • Can create additional management issues for Domain Owners who use multiple 3rd parties • Possible additional contractual point for key strength requirements 3rd Party Deployment Profiles – Authorized
  66. 66. @DrKurtA The Domain Owner delegates a subdomain to 3rd party mailer and relies on contractual relationship to ensure appropriate SPF records, DKIM signing, and DMARC records Pros • Reduces Domain Owner implementation issues to mostly contractual. • The 3rd party is responsible for SPF records, DKIM signing and publishing, etc. • Domain owner may still be responsible for ensuring Identifier Alignment. Cons • The Domain Owner potentially gives up day to day control, flexibility/responsiveness and visibility into operations and conformance. 3rd Party Deployment Profiles – Delegated
  67. 67. @DrKurtA Contractual points • Creation and maintenance of SPF, DKIM and DMARC records • (At least every 6 months) Rotation of DKIM keys and minimum length of key (1024 or larger) • Investigation of DMARC rejections • Handling of DMARC Reports • Requirements for reporting back to the Domain Owner • Indemnification (if any) for mail lost due to improper records or signatures. 3rd Party Deployment Profiles – Delegated
  68. 68. @DrKurtA The 3rd party is also providing DNS, webhosting, etc for the Domain Owner and makes the process mostly transparent to the domain owner Pro • Very easy for less sophisticated Domain Owners. • Can be mostly automated by the 3rd party. Con • The domain owner is significantly more dependent on the 3rd party. • Can make interactions with more than one 3rd party impossible. 3rd Party Deployment Profiles – Hosted
  69. 69. @DrKurtA Report Processing and Analysis
  70. 70. @DrKurtA Report Parsing Tools http://dmarc.org/resources.html If you develop report parsing tools you are willing to share, please send a note to the dmarc-discuss list and let us know. Report Processing and Analysis
  71. 71. @DrKurtA Step 1: Categorize the IPs in the Aggregate Report • Your Infrastructure • Authorized 3rd Parties • Unauthorized 3rd Parties * * You should consider everything an Unauthorized 3rd Party by default; until proven otherwise Report Processing and Analysis – Step 1
  72. 72. @DrKurtA Step 2: Infrastructure Auditing For both your Infrastructure and Authorized 3rd Parties • Identify owner(s) • Determine LOE for Deploying Domain Authentication • Determine LOE for Identifier Alignment • Evaluate or prepare business case / justification Report Processing and Analysis – Step 2
  73. 73. @DrKurtA Step 3: Identify Malicious Email Research Unauthorized 3rd Parties and label the Abusers • Use public data sources • Vendor services • Look out for known failure cases (SPF/DKIM/DMARC) • Failure reports Report Processing and Analysis – Step 3
  74. 74. @DrKurtA Step 4: Perform Threat Assessment Categories • Your Infrastructure • Authorized 3rd parties • Unauthorized 3rd parties • Abusers Report Processing and Analysis – Step 4
  75. 75. @DrKurtA Consider: • Phish vs. False Positives • Phish vs. Total Aligned Email If there is no Phish, you don’t have a Domain Spoofing problem (at this time) Report Processing and Analysis – Step 4 Phish Unaligned Email From Abusers Definite False Positives Unaligned Email from Your Infrastructure + Unaligned Email from Authorized 3rd parties Potential False Positives Unaligned Email from Unauthorized 3rd parties
  76. 76. @DrKurtA Enforcement Policy Ramp-up
  77. 77. @DrKurtA Step 1: Verify Authentication and Alignment for all of your Infrastructure and all Authorized 3rd Parties Step 2: Update your record to: p=quarantine; pct=10; Do not: • Skip ‘quarantine’ and go straight to ‘reject’ • Change the policy action from ‘none’ without setting a ‘pct’ Initial Policy Ramp-up
  78. 78. @DrKurtA Initial Policy Ramp-up Step 3: Monitor your reports for issues and address them. Make a ‘go forward / go back’ decision. Step 4: Update your record to increase the ‘pct’. Step n…: Rinse and repeat until you get to ‘pct=100’.
  79. 79. @DrKurtA Initial Policy Ramp-up Step n+1: If needed and warranted by the abuse being seen, update your record to: p=reject
  80. 80. @DrKurtA Ongoing Monitoring
  81. 81. @DrKurtA Ongoing Monitoring •Categorize new IPs in Aggregate reports • Your Infrastructure • Authorized 3rd Parties • Unauthorized 3rd Parties • Abusers •Reassess the Threat Level • Increases in phish • Changes in unaligned email volume • Make changes accordingly • Takedowns or other phish responses
  82. 82. @DrKurtA Ongoing Monitoring Be on the look out for: • Infrastructure changes • New products / new subdomains • New authorized 3rd parties • Mergers and acquisitions
  83. 83. @DrKurtA Protecting “me.example” – Q&A  Why should you care?  Background to the challenges of email authentication  Where does me.example mail come from?  Did my domain (me.example) send this content?  What protections should a receiver look for on me.example mail?  How do I protect me.example?  Making it all work together. . .
  84. 84. @DrKurtA Take Home Points In-house - If email is important to your company and even more so if it is important to your product – email authentication is critical  invest in doing it right and keeping it up to date Out-sourced - Understand how your 3rd parties manage SPF (include values) - Understand how they handle DKIM (pay extra if needed to get your own keys) - Key rotation + length - Understand how they work with DMARC and DMARC reports
  85. 85. @DrKurtA Resources – Email Domain Authentication http://dmarc.org/resources - Articles, Tutorials and Videos Online materials explaining DMARC and related or underlying email authentication technologies. - Code and Libraries Modules and packages that you can deploy or build into programs that implement DMARC. - Deployment Tools Tools and services you can use when deploying DMARC. Everything from DMARC DNS record builders, to message validators / reflectors that help you determine if DKIM/DMARC/SPF is working as expected. - Products and Services Products and services that can assist you in deploying DMARC and related technologies. Everything from hosted email services, to email security firms, to mailing list management software.  http://dmarc.io
  86. 86. @DrKurtA Resources – DNS(SEC), DANE, TLS, etc.  http://www.internetsociety.org/deploy360/start/  https://www.ssllabs.com/ssltest/  http://docs.menandmice.com/display/MM/Where%20to%20find%20webbased%20 DNSSEC%20testing%20tools  http://dnsviz.net/  http://valimail.com
  87. 87. @DrKurtA Points to Ponder This is not “fire-and-forget” In a dynamic environment, protecting your domain requires constant vigilance What is your “bus number” for this critical activity?
  88. 88. More Questions? Office Hours Friday - Lunch @DrKurtA KurtA@LinkedIn.com

×