Webinar takeaway: Implement DMARC the Right Way to Keep Phishing Attacks Out of Your Inbox

My key takeaways

• DMARC uses SPF and/or DKIM
• In 2021 the National Defense Authorization Act says the Department of Homeland Security (DHS) must implement DMARC US wide
• there exists an RFC for "email from"
• SPF = receiving email server checks MAIL FROM address or the domain’s IP address in the HELO handshake against the sender’s SPF DNS record
• -all = hard fail, ~all = soft fail, +all = no fails
• M$ protects O365 inboxes with "Additional Spoof Intelligence™"
• Disable outdated SenderID by creating a TXT-record with spf2.0/pra ?all
• enabled in Microsoft Exchange (2010/2013/2016) on premise with & $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1 and Set-SenderIDConfig -ExternalMailEnabled $false
• you would not be able to use DKIM if your mailserver does not support it
  • eg on shared hosting mail servers
  • but also Exchange on-premise
• Phishers create typo squatted domains and configure SPF, DKIM and DMARC perfectly, so this way the email wont be rejected
  • they use the weapons developed to stop them
• SPF, DKIM, and DMARC is widely misconfigured, most commonly:
  • Missing records
  • Old, not updated key pairs
  • Bad IP addresses
  • Missed domains
• Phishers use freemailers like hotmail and gmail, so SPF, DKIM and DMARC wont stop them
  • SPF, DKIM and DMARC is domain based, not email based

Env

• Provided by KnowBe4
• Presenter:
  • Roger Grimes

additional links

• https://www.congress.gov/116/bills/hr6395/BILLS-116hr6395enr.pdf
• SPF RFC7208
• DKIM RFC6376
• https://www.spfwizard.net/
• https://blog.returnpath.com/demystifying-the-dmarc-record/
• DMARC Analyzer
• RdDMARC Analyzer
• DMARC Reports Parser
• http://www.gettingemaildelivered.com/how-to-set-up-dmarc-email-authentication