INCH360 Panel: Dan Brown: Email Cybersecurity - Lab Environment DMARC
I'll introduce myself, Dan Brown,
I'm with the Cybersecurity and
Infrastructure Security Agency.
We are the newest agency in the
federal government under the
Department of Homeland Security.
We are tasked with protecting the
sectors of critical infrastructure.
which includes state, local, tribal,
territorial, and also the private
sector much of critical infrastructure
is owned by the private sector,
whether it's, you know, the Avistas,
Columbia Pipeline, whatever.
We will support those folks and offer
federally funded slash free assessments
and advising to anyone in those spaces.
So, this is going to be a little
more technical conversation.
We did some presentations for
Cybersecurity Awareness Month for
WATEC State of Washington Technology,
and this presentation and some other
phishing and vishing presentations
were saved on the WATTEC Cybersecurity
Awareness Month 2023 website.
I have a link at the very end, so
if anyone wants to refer to that and
get some more material, it is there.
, So my agenda is just to talk about
the foundational technologies of
email security from the server side.
SPF, DKIM, DMARC briefly touch
on Authenticated Received Chain
Email Header Analysis Tools and
Conclusions and Recommendations.
I apologize, it'll be kind of
technical, not the most exciting, but
I will just offer some information.
first of all, why use
SPF, DKIM, and DMARC?
With SMTP, by default, it will permit
any computer to send email claiming
to be from any source address,
unless you use SPF, DMARC, and DKIM.
So, I do recall once in early 2000s
I had a coworker that we used Pine, I
think it was at WSU at the time, and
he was able to send an email from Bill.
Gates at Microsoft.
com and it appeared just
like it was from him.
There was no authentication,
he was able to, it was an open
relay, and was able to do it.
Times have changed, and
fortunately we have better
authentication methods in place.
So, the first of those is
Security Policy Framework.
Yes.
It's moving forward on mine.
Let's see here.
So he didn't.
Let's go slideshow.
Where's the clicker?
Oh,
so they're separate.
I understand now.
So I can't just make it go.
Right.
Okay.
But I have to forward
it here to see my notes.
But that's okay.
We'll do it.
Okay.
So there was my foundation.
Let's see.
Agenda.
Sender Policy Framework.
Basically, Sender Policy Framework is an
authentication method to ensure sending,
the sending mail server is authorized to
originate mail from the sender's domain.
So in other words, you have to
list all of the IP addresses or
domains that are allowed to send
email on behalf of your domain.
And it directs policy enforcement actions
whether to allow all or Not can be
misconfigured to be overly permissive.
An example of that is if you include
a plus all at the end of the SPF
record, it'll allow any IP to send
on your behalf, which is not good.
If you use incorrect CIDR notation.
So, for example, you know, , if , your
intention is to have a slash 20 and
you inadvertently let, use a slash
2, rather than 4, 000 addresses, you
would allow about a billion addresses,
which is 25 percent of all IPv4.
And it's just one character, and
that that can leave it wide open.
Okay.
Okay, components of an SPF record
there's a version number, mechanisms,
, Quantifiers, and Modifiers.
So, the mechanisms are, you know,
describe the host as authorized, inbound
for a given domain and SPF record
can have zero or multiple mechanisms.
Some of the common ones
are, are quantifiers.
So, in the quantifiers you
can have a pass, A hard fail,
a soft fail, or a neutral.
So what does it do with the
message if it doesn't meet the
quantifiers in the SPF record?
So, modifiers they're used to
send a query to other domains.
Modifiers easy to understand
compared to other mechanisms.
Used when you have several domains.
Need to use the same
SPF record everywhere.
So, an example, user provide an
explanation when a failed quantifier
is included in a match mechanism.
The explanation will be placed
in the SPF log, so that's a good
place to get additional data.
So, Example SPF records.
So here is I have two examples here.
And I'll walk through what
each of the components are.
The first is the version number.
Everything is SPF1.
That's the current version.
Also on that line is an include.
So you can use an include
and it will use DNS.
It will look up all the records for that.
That's, A misspelling of
Google, but you get the idea.
It'll list the current version
it'll list what the A authorizes
the hosts detected in the A record
of the domain to send the emails.
And so if you look in the second one, you
see , it has the include and specific IPs.
And.
The SPF, SR, or RFC limits the DNS lookups
to match maximum of 10 per SPF, and a
lot of times they say where possible
use IP addresses rather than domains
because then you can avoid the lookup
time and it'll improve your performance.
So,
okay, whoops.
So this was, I'll take that one.
Okay, so.
Is anyone in here familiar
with configuring SPF?
Do you manage mail servers?
Okay.
Have you looked at your SPF
record in the last year?
Okay.
That's good to hear.
We have a few.
So, thank you.
I'm glad to know I have a few
techie folks in the audience.
So, any questions about
SPF that I can answer?
Okay, we'll go on to DKIM.
So DKIM and just for reference,
SPF, I believe, it was originally
published in around 2000, and I
think it became an RFC in about 2002.
It was very close.
Close to that timeline.
So DKIM is a standard.
It was defined in RFC 6376 in
September of 2011, and has had
a couple updates since then.
With DKIM, it allows for a domain
to prove it's responsible for a
message, and it was not altered
as it traveled its delivery path.
So, the SPF was more with The pathway
and who can send and this is more with
the validity of the content of the email.
So there's There is a Signature
that's the public key.
It's a public private key relationship
and DNS has the the public key published
So then the the message can be encrypted
and then decrypted it at time of
reading anyway creates and decodes
The DKIM signature DKIM signatures
are inserted into the header of the
email and then used at decryption.
And again, I said that's a
standard with a couple RFCs.
So
So an example of DKIM this
particular one the most relevant
ones are the required ones.
B is for the signature.
BH is for the body hash is for the
signing domain, and S is for the selector.
So, if you take a look at that example
there, you can see the version number.
You can see they're using RSA whoops.
Okay, there we go, sorry.
So, you can see version 1 gives
an example shows the hash there
listed in the, in the text.
And again, that's in
the, in the header, so.
And the CNAME record can also be used
to point at a different TXT record.
For example, one organization
sends on behalf of another, so.
Let's look at Okay, so DMARC,
actually improves upon the existing
security measures of DKIM and SPF.
It kind of ties them
together, if you will.
A DMARC policy allows a sender's domain
to indicate that their messages are
protected by SPF and or DKIM and it tells
the receiver what to do if neither of
those authentication methods pass, such
as to reject the message or quarantine.
So does it end up in the spam or just
get spam folder or just get rejected?
And DMARC kind of works with domain
alignment requires SPF and DKIM to be
in place and domain alignment basically
means that they need to match the message
from the domain with the return path
domain from the sending domain to the
return path domain just to ensure that
someone's not trying to send it out as
As a known domain, and the return path
if they hit reply is different, so.
And, basically you have to create
a proper DNS text record for this,
and that'll tell the policy where
it reports to and the subdomains.
Okay, I think it skipped one.
Okay, there's a sample config so
in DMARC, in this, this example you
know, It shows the version number,
DMARC1, again, it's current version.
And it shows what it does, whether
it quarantines, what percent of the
mail messages are are being scanned
and run against that rule set.
The subdomain policy and what you
are all to send the reports to.
It's very helpful if these, these
reports get sent, if you're a male
administrator, it gives you a good chance
to look at those and you know, and see
what is failing and why it's failing.
So, let's see what else we got.
Okay, so let's go.
And this is an example of a report.
It basically just shows, you know,
How each message was affected,
whether it passed, failed, and why.
You know, if it passed SPF and
DKIM, or just one or the other,
and what the resultant action was.
So, they're typically sent once a day,
and this one has been reformatted in
tabular form just to be easier to see.
One additional comment I'll make
is most of this is Is available you
know, the technology hasn't changed.
I listened to a number of podcasts
and did a bunch of research on this.
And the most relevant information
is from delivery experts ESPs
professional mail people that are
using mail to send out marketing email.
They're sending thousands
or millions of email.
And they want to make sure
that their email gets through.
So They talk about it from a little
different lens, but the the technology is
still all the same and you need to have
it configured in such a way that that good
mail gets through and bad gets rejected.
So, future additional options.
Come on.
Oops.
So, there are some different
email configuration technologies
in, that are out there.
One of them is a brand message indicator.
Brand indicator for
message identification.
It uses DKIM, SPF, and DMARC to verify.
Adds a brand logo to the name of the
email sender's additional validation.
Again, the email marketing companies are
in support of this because then they can
show that it's actually from their company
and it'll show their logo as an additional
form of authentication and validation.
So, Another is new security features
that were launched by Google on
October 3rd of 23, and they're
coming from Yahoo in February of 24.
And basically, bulky email senders
that send more than 5, 000 messages
will have to have a new, will have
new authentication requirements.
So, for those You know, marketing folks
that send out lots and lots of email, they
will have requirements and the intent is
to you know, reduce the number of spam.
And the senders will be
required to process unsubscribed
requests within two days, so.
The third one that I'll, I'll
talk about as an option is
Authenticated Received Chain or ARC.
Basically it makes a list of
trusted ARC senders to trust
legitimate indirect mail flows.
So, just another configuration option.
And there's an example of MARC.
Basically it's, it helps to keep the
message from being modified in transit
and adds a list of trusted intermediaries.
And it just shows I
have two, two graphics.
One that shows a mail flow
with ARC and one without.
And just that adds an additional DNS
check through the pathway of mail.
And it shows, yeah, when you, and
for this you have to use DMARC, so.
Okay real briefly we'll talk
about message header analysis.
So, it's a, it's a great tool that's
available in nearly all email clients,
allow you to see technical details.
About routing and pathing,
including DKIM information.
Every header is different and
some metadata is optional.
But the first four
first four are required.
Send a recipient, date, and subject.
So anti spam laws for most
countries require the following.
A from label that should either be the
name of your business or your own name
if your subscribers know you by that.
The reply to address needs to be a
functioning address and should connect
to you or someone at your company.
You can answer questions.
Also the sending, the domain in your
sending email needs to be correct.
And the subject line this
is a bit more tricky.
The subject line must pertain to the
content of the email in some way.
Doesn't mean you can't have fun and
have a tricky email line, but you
can't say this is an email from Dr.
Smith confirming your appointment
on Tuesday, and then open it up and
have someone try and sell you you
know, a new laptop or something.
It has to be related to
the content in the email.
And again, the country laws are
a bit different, so you have
to review those on your own.
Okay.
And this is just how you get in.
I mean, most of you folks
probably know how to do that.
Just go into, look at message headers
and some will have more details than
others, but, you know, same idea.
Okay, and this is an
example of a message header.
It's kind of difficult to see but
it's a message from from biola.
edu, from Stephanie to David.
This particular one happens
to be an internal email.
And you know, it's an example of how
full email headers are more from lines.
They contain information including every
hop a message is taken across the internet
to get from the sender to the destination.
You know, the required areas
Stephanie's report the return
path is, is Stephanie's address.
Tells you any replies will go
there, not another account.
Received from has to be correct.
And because it is
correct, on C it's a pass.
Because we see that the IP
address is a permitted sender.
So all email from biola.
edu will be handled by Google, since
they provide their email service.
Let's see.
Okay tools.
There are a number of tools out there.
If you just, you know, do a search
for SPF tools or SPF, DKIM, DMARC
check there's a number of free tools
and most of them have a paid option.
The one I used for some of my
examples was Demartian, you know,
again, not necessarily the best.
It's just one that shows you can
put your your email domain in and
it will tell you if your SPF, DKIM,
and DMARC are properly configured.
And it will also tell you
your status on a blacklist.
I believe there are 90,
about 93 common blacklists.
And one example of this I can recall where
it was an issue when I worked at WSU.
We had one of our emails that
ended up on a on a blacklist.
And, and we had grant federal
grant information that was trying
to come through in that email.
I don't remember if it was Department
of Education, but either way, that
email was not allowed to come through
because we were on a blacklist.
So, it's important to at least
know your status and make sure that
somehow you haven't gotten there.
Okay, whoops.
Okay.
Oh, that one got put in the wrong spot.
That's just an example of SPF records.
That should have been up above.
So, here, again, I mentioned DMARC.
And this is an example I put in NASA.
gov just to see what it said.
And, you know, you can expand
out and see what the DMARC, the
SPF, and the DKIM records are.
It'll list the the public key.
For DKIM, you can see it there cause
that's available in DNS, and your
SPF and DMarker are configured.
But, you know, it's a good starting
point, pick one of the tools take a look
and see what your domain looks like.
So, have, have any of you
folks used some of these tools?
Which one did you use?
What's that?
Okay.
Nice.
That's good.
And do you use the free
versions or the paid versions?
Yeah, and that's it.
I mean if you, okay, so I got two.
Or, or, peace out.
I guess it's the same.
So yeah, they're good tools.
I would recommend using them.
Conclusion, review your existing
config, use tools, check DNS, add,
modify and update as necessary.
Review your client settings to make sure
that you have security features enabled.
You know, if it's a Windows
box, use group policy to push
out the appropriate settings.
Research new email trends you know,
I mentioned email service providers,
they have blogs and podcasts again,
they're delivery professionals.
It's from a different stance, you know,
the marketing side, but the technology is
still the same and you can learn a lot.
And AI and analytics are also being used
heavily by providers to help filter spam.
So even if it's, if something looks
fishy in an email, you know, there
might be additional technologies that
are blocking it even if you don't have
everything configured quite right.
So, that's, that concludes it.
Again WOT Tech had Cybersecurity
Month and there's a copy of this
presentation that I provided on
my own laptop when it was working.
And There's a recording
if you want to look at it.
I'm Dan Brown.
I am the local cybersecurity
advisor for Spokane area.
My email is there.
Grab a card on the table in the back.
Come talk to me.
I'd be happy to help.
So thank you.
