My key takeaways
- DMARC uses SPF and/or DKIM
- In 2021 the National Defense Authorization Act says the Department of Homeland Security (DHS) must implement DMARC US wide
- there exists an RFC for "email from"
- SPF = receiving email server checks MAIL FROM address or the
domain’s IP address in the HELO handshake against the sender’s SPF
DNS record -all= hard fail,~all= soft fail,+all= no fails- M$ protects O365 inboxes with "Additional Spoof Intelligence™"
- Disable outdated SenderID by creating a TXT-record with
spf2.0/pra ?all - enabled in Microsoft Exchange (2010/2013/2016) on premise with
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1andSet-SenderIDConfig -ExternalMailEnabled $false - you would not be able to use DKIM if your mailserver does not support it
- eg on shared hosting mail servers
- but also Exchange on-premise
- Phishers create typo squatted domains and configure SPF, DKIM and DMARC perfectly, so this way the email wont be rejected
- they use the weapons developed to stop them
- SPF, DKIM, and DMARC is widely misconfigured, most commonly:
- Missing records
- Old, not updated key pairs
- Bad IP addresses
- Missed domains
- Phishers use freemailers like hotmail and gmail, so SPF, DKIM and DMARC wont stop them
- SPF, DKIM and DMARC is domain based, not email based
Env
- Provided by KnowBe4
- Presenter:
additional links
- https://www.congress.gov/116/bills/hr6395/BILLS-116hr6395enr.pdf
- SPF RFC7208
- DKIM RFC6376
- https://www.spfwizard.net/
- https://blog.returnpath.com/demystifying-the-dmarc-record/
- DMARC Analyzer
- RdDMARC Analyzer
- DMARC Reports Parser
- http://www.gettingemaildelivered.com/how-to-set-up-dmarc-email-authentication