X
GO
en-USfr-FR
Blog
10May

Protect Email Phishing with MX, SPF, DKIM and DMARC

Blog Writer | office365, protection, phishing, virus | Office 365, Exchange Server | | View Counts (1364) |Return|
0 ( 0 reviews)
|

Summary

Basic phishing emails are so effective that most hackers don't use exploit kits anymore.
It becomes very easy to spread virus ransomware if your mail servers are not protected, even with Office 365 and Exchange OnLine.

 

Context

French Government National (through ANSII) Study Cybersecurity recommends setting up security on emails:

US Government also calls to these enhancements

 

Let's see now how to do a basic implementation of these settings in Office 365 and Exchange OnLine.
For complex and hybrid settings, please contact us.

 

Concepts

Let’s start with the concepts.

 

 

SPF

DKIM

DMARC

What does it stands for?

Sender Policy Framework

DomainKeys Identified Mail

Domain-based Message Authentication, Reporting and Conformance

What is it?

A system to declare and verify who can send e-mails from a given domain

An e-mail authentication system based on asymmetric cryptographic keys.

An e-mail authentication system that helps determining what to do when messages fail SPF or DKIM checks.

How does it work?

The receiving host checks if the sending host is allowed to send e-mails from the sender domain.

 

The information stating who can send e-mails is stored on a TXT record in the DNS zone.

The sending host signs email body and/or headers with its private key. The receiving host verifies the signature, identifying if the fields are intact.

 

No digital certificate is required. Public key is published using DNS TXT records.

The receiving hosts applies the DKIM and SPF checks. Then it validates the results against the published DMARC policy and decides what to do: Block, quarantine, deliver, report to sender.

 

The DMARC policy is published via DNS TXT record.

Why is it important?

It helps preventing spoofing and can prevent damage to your brand.

Greatly reduces the chances that your messages are treated as spam by digital signature.

Helps receiving organization decide what to do with e-mails that fails checks and create a feedback loop to allow course correction.

Where can I learn more?

Sender Policy Framework

DomainKeys Identified Mail

Domain-based Message Authentication, Reporting & Conformance

 

 

Enabling SPF (Scenario : Only Exchange Online send e-mails from your domain)

The first thing we do is SPF, because it is simple and stops a lot of spam with little effort. Then we do DKIM and then DMARC, because this last one ties the others together.

 

Create a TXT record in your domain zone

TXT Name:  @
Value:    "v=spf1 include:spf.protection.outlook.com –all
"

 

C:\Users\user1>nslookup -querytype=txt caribinfra.com

Server:   myBox
Address:  192.168.1.1
Non-authoritative answer: caribinfra.com  text = "v=spf1 include:spf.protection.outlook.com -all"

 

Enabling DKIM

Publish two CNAME records for your domain in DNS

 

Get your domain GUID

Your domain GUID is based on your domain name, replacing the dots with dashes.

For caribinfra.com, domain GUID is “caribinfra-com”

 

Get your initial domain

Initial domain is basically your tenant name in Office 365. You can get it from Admin Center – Domains. It is that domain ending with “.onmicrosoft.com”.

For our CaribInfra company initial domain is “caribinfra.onmicrosoft.com”.

 

 

DNS Setup

Create two CNAME records in you external DNS zone

Host name : selector1._domainkey.caribinfra.com
Points to : selector1-caribinfra-com._domainkey.caribinfra.onmicrosoft.com

 

Host name : selector2._domainkey.caribinfra.com
Points to : selector2-caribinfra-com._domainkey.caribinfra.onmicrosoft.com

 

C:\Users\user1> nslookup -querytype=CNAME selector1._domainkey.caribinfra.com.
Server:   myBox
Address:  192.168.1.1
Non-authoritative answer: selector1._domainkey.caribinfra.com     canonical name = selector1-caribinfra-com._domainkey.caribinfra.onmicrosoft.com

 

C:\Users\user1> nslookup -querytype=CNAME selector2._domainkey.caribinfra.com.
Server:   myBox
Address:  192.168.1.1
Non-authoritative answer: selector2._domainkey.caribinfra.com     canonical name = selector2-caribinfra-com._domainkey.caribinfra.onmicrosoft.com

 

Enable DKIM signing for your domain in Office 365

  1. Sign-in at Exchange Admin Center with an administrative credential
  2. Go to Protection > dkim
  3. Select the domain for which you want to enable DKIM and then, for Sign messages for this domain with DKIM signatures, choose Enable.

 

Enabling DMARC

The most important things to consider when enabling DMARC are :

  1. to make sure you got SPF + DKIM right
  2. wisely define your Policy.

If you get any of those two wrong, there can be a lot of noise.

 

The table below summarizes the options you have when configuring your DMARC policy:

Tag

Purpose

Options

v

Version – Required

DMARC1

p

Policy – Required

none: No specific action be taken regarding delivery of messages.

quarantine: E-mail that fails DMARC check should be considered suspicious.

reject: E-mail that fails DMARC check should be rejected.

sp

Policy for all the subdomains – Optional, defaults to the parent domain policy if omitted.

none: No specific action be taken regarding delivery of messages – useful for monitoring.

quarantine: E-mail that fails DMARC check should be considered suspicious.

reject: E-mail that fails DMARC check should be rejected.

adkim

Indicates whether strict or relaxed DKIM Identifier Alignment mode is required – Optional, defaults to r if omitted.

r: relaxed mode – Both the authenticated signing domain and the sender domain can be a subdomain of each other to be considered aligned.

s: strict mode – Only an exact match between both of the domains is considered to produce Identifier Alignment.

aspf

Indicates whether strict or relaxed SPF Identifier Alignment mode is required – Optional, defaults to r if omitted.

r: relaxed mode – Both the authenticated signing domain and the sender domain can be a subdomain of each other to be considered aligned.

s: strict mode – Only an exact match between both of the domains is considered to produce Identifier Alignment.

rua

Addresses to which aggregate feedback is to be sent – Optional

E-mail addresses in the format mailto:mbx@domain.com. Multiple addresses should be comma separated.

ruf

Addresses to which message-specific failure information is to be reported – Optional

E-mail addresses in the format mailto:mbx@domain.com. Multiple addresses should be comma separated.

rf

Format to be used for message-specific failure reports – Optional, defaults to afrf if omitted.

afrf: Authentication Failure Reporting Using the Abuse Reporting Format, as described in RFC 6591.

iodef: Incident Object Description Exchange Format, as described in RFC 5070

ri

Interval requested (in seconds) between aggregate reports – Optional, defaults to 86400 if omitted.

32-bit unsigned integer, from 0 to 4,294,967,295.

fo

Provides requested options for generation of failure reports – Optional, defaults to 0 if omitted.

0: Generate a DMARC failure report if all underlying mechanisms fail.

1: Generate a DMARC failure report if any underlying mechanism produced something other than an aligned "pass" result.

d: Generate a DKIM failure report if the message had a signature that failed evaluation.

s: Generate an SPF failure report if the message failed SPF evaluation.

pct

Percentage of messages to which the DMARC policy is to be applied. It allows to enact a slow rollout enforcement of the DMARC mechanism. – Optional, defaults to 100 if omitted.

Integer between 0 and 100, inclusive

 

For example, we can use the DMARC TXT record below for caribinfra.com:

 

TXT Name: _dmarc.caribinfra.com
Value: "v=DMARC1;p=quarantine;rua=mailto:rua@caribinfra.com;ruf=mailto:ruf@caribinfra.com;fo=1"

 

Result

When sending an email from caribinfra.com to gmail.com, we may see all the SPF, DKIM, DMARC checks OK

Blog-smtp

When looking the mail headers, we find all the necessary items

ARC-Seal: i=1; a=rsa-sha256; t=1526062769; cv=none;
        d=google.com; s=arc-20160816;
        b=1D4gUyLk4.../...k6Gw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:spamdiagnosticmetadata:spamdiagnosticoutput
         :content-language:accept-language:message-id:date:thread-index
         :thread-topic:subject:to:from:dkim-signature
         :arc-authentication-results;
        bh=8YDMg1feuo.../...8Y5Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@caribinfra.com header.s=selector1 header.b=LaC3eI2+;
       spf=pass (google.com: domain of jeanyves.moschetto@caribinfra.com designates 104.47.40.100 as permitted sender) smtp.mailfrom=jeanyves.moschetto@caribinfra.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=caribinfra.com
Received-SPF: pass (google.com: domain of jeanyves.moschetto@caribinfra.com designates 104.47.40.100 as permitted sender) client-ip=104.47.40.100;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@caribinfra.com header.s=selector1 header.b=LaC3eI2+;
       spf=pass (google.com: domain of jeanyves.moschetto@caribinfra.com designates 104.47.40.100 as permitted sender) smtp.mailfrom=jeanyves.moschetto@caribinfra.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=caribinfra.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=caribinfra.com;
 s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=8YDMg1feu.../...OI=;
 b=LaC3eI2+H0T.../...ixqNg=
 

 

 

Related

WUAUCLT no more working on Windows 10? Please replace with USOCLIENT.EXE

WUAUCLT no more working on Windows 10 and Server 2016? Please replace with USOCLIENT.EXE

Authenticating users with smartcard and login/password

When a user opens an Active Directory session with his smartcard, it happens that some applications ...

ADDS Forest and Domain Functional Levels

Regularly customers ask "why should I raise ADDS functional level"? Here are the anwsers

Hard to replicate Exchange Connectors

When you have multiple Microsoft Exchange Servers receiving emails, you have to create exactly the s...

MFA for Azure admins will be soon enforced

Do you know that Microsoft will enforce all privileged Azure AD accounts to use Multi Factor Authent...

Remote Desktop Administrative Session

When you connect to Microsoft Windows RDS (Remote Desktop Services), it can be done either as a USER...

Categories
Tags
Popular
  • Recent
  • Popular
  • Tag