DKIM, SPF and DMARC DNS Records

[Alan Jenks]

On the last day of term 2, about twenty teachers at Timaru Girls High School (TGHS) received an email claiming to be from our Principal. It wasn’t! 

Luckily most people recognised it as a spoof and marked it as spam. I was able to use the Gsuite Investigation Tool to delete the email and blacklist the sender. 

This incident has spurred me to spend the last week “hardening” our email against future spoofing attempts by adding DKIM, SPF and DMARC TXT records to our DNS. This thread has some lessons learned from that process and I hope, will encourage others to do the same.

DKIM - (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain.

SPF - A (Sender Policy Framework) record identifies the mail servers and domains that are allowed to send email on behalf of your domain. Receiving servers check your SPF record to verify that incoming messages that appear to be “From" your organisation are sent from servers allowed by you.

DMARC - A (Domain-based Message Authentication, Reporting, and Conformance) record stipulates how your DKIM & SPF records should be applied (relaxed/strict), what action should be taken in the event that both tests fail (none/quarantine/reject) and where to report testing results. Analysis of the reports is crucial (and eye opening!) as it allows you to tailor your SPF record to find and include all your genuine email sources.

DKIM

Adding a DKIM record to your domain is easy with Gmail. Simply go to https://admin.google.com/ac/apps/gmail/authenticateemail, generate the key for your domain and add it to your DNS record. Done!

If you don’t generate your own key, then Gmail adds a generic DKIM signature to every email it sends. This can be problematic because emails with your domain in the “From” address, will pass the DKIM test even if they don’t come from your domain if you also have Google email servers listed in your SPF record.

SPF

The content of the SPF record is tailored by the analysis of the DMARC reports - more on that later. Here is my (TGHS) SPF record…

"v=spf1 include:_spf.google.com include:_spf.n4l.co.nz ip4:208.91.114.151 -all”

There is a limit of 10 DNS look ups from within an SPF record. DNS look up is triggered by the “include:” statement and they can be nested. Although my SPF record only contains two “includes", it consumes 8/10 “includes" in total because both “_spf.google.com” and “_spf.n4l.co.nz” have three “includes” each. 

By looking at the content of the SPF record for each of the mail servers that you use you can decide whether to flatten the SPF record (eliminate “includes”) by specifying the ip4 or ip6 address directly. That is what I did with my last entry “ip4:208.91.114.151” which could have been written “include:notification.fortinet.net”

If you use Kamar’s school.kiwi email service you don’t need to add them to your SPF record because they are sending from your “xyz.school.kiwi” domain not “xyz.school.nz"

DMARC

Here is my DMARC record…

“v=DMARC1; p=quarantine; rua=mailto:dm...@timarugirls.school.nz; ruf=mailto:dmarc_...@timarugirls.school.nz; pct=100; adkim=s; aspf=s; ri=21600;”

At the moment I have it set to 100% quarantine (p=quarantine; pct=100;) When I am confident that I have identified all the genuine sources (email servers) for my domain, I will change this to "p=reject"

The DMARC record only allows two "mailto:” entries for each of the “rua" (aggregate reports) and “ruf" (message-specific reports) tags, so I set up two group emails in Gsuite to receive the DMARC reports. Each groups forward any emails received to a MS Teams channel, so that I have visibility into the reports that I am getting. They also forward to one of many DMARC analysis services that are available. These sites aggregate reports over time and present the information in a user friendly way. In this way I can test different analysis sites in parallel, although I have found that some sites refuse to work unless they actually see their address in your DMARC record!

My favourite DMARC analysis site so far is https://app.glockapps.com/

So far I haven’t received any forensic (“ruf") reports for some reason.

Being a holiday, email is quiet at the moment, but here is an example of compliance failures over the last week. 

This is how I spotted that “notification.fortinet.net” needed to be in my SPF record. It is used to send the login token for the Fortinet VPN.

Alan Jenks

IT Administrator

Timaru Girls High School

[Jono Green]

Cheers Alan,

 

A pretty good breakdown of the approach. I’d recommend having a look at Dmarcly as they a comprehensive guide on this from a Microsoft perspective (but it translates easy enough across to Google as well) How to Set Up DMARC, DKIM, and SPF in Office 365 (O365) Exchange Server: the Complete Implementation Guide - DMARCLY.

 

They also have some Tools to check your SPF (so you can see when a DNS record includes additional lookups that push you over the limit of 10), DKIM and DMARC records. Free SPF/DKIM/DMARC analyzer tools for DMARC setup - DMARCLY.

 

I regularly use their free tools to check records while setting this up as it becomes very important once DMARC is in the equation (and they very recently pointed out a stubborn DKIM Selector2 record that just wasn’t being added to DNS despite the portal swearing it was there).

 

Cheers,
Jono

 

Sent from Mail for Windows

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/F88BAFF9-DC91-408F-A48C-80678C0D80FD%40timarugirls.school.nz.

 

[Alistair Baird]

I use mxtoolbox.com to check setup. 

“v=DMARC1; p=quarantine; rua=mailto:dmarc@timarugirls.school.nz; ruf=mailto:dmarc_failed@timarugirls.school.nz; pct=100; adkim=s; aspf=s; ri=21600;”

 

At the moment I have it set to 100% quarantine (p=quarantine; pct=100;) When I am confident that I have identified all the genuine sources (email servers) for my domain, I will change this to "p=reject"

 

The DMARC record only allows two "mailto:” entries for each of the “rua" (aggregate reports) and “ruf" (message-specific reports) tags, so I set up two group emails in Gsuite to receive the DMARC reports. Each groups forward any emails received to a MS Teams channel, so that I have visibility into the reports that I am getting. They also forward to one of many DMARC analysis services that are available. These sites aggregate reports over time and present the information in a user friendly way. In this way I can test different analysis sites in parallel, although I have found that some sites refuse to work unless they actually see their address in your DMARC record!

 

My favourite DMARC analysis site so far is https://app.glockapps.com/

 

So far I haven’t received any forensic (“ruf") reports for some reason.

 

Being a holiday, email is quiet at the moment, but here is an example of compliance failures over the last week. 

This is how I spotted that “notification.fortinet.net” needed to be in my SPF record. It is used to send the login token for the Fortinet VPN.

 

 

 

Alan Jenks

IT Administrator

Timaru Girls High School

 

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/F88BAFF9-DC91-408F-A48C-80678C0D80FD%40timarugirls.school.nz.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/C91CB6D2-FCEA-4C74-9434-E7360C69F0F1%40hxcore.ol.

--

Kind regards,
Alistair Baird
IT Manager

P  06 354 4198 stpeterspn.school.nz   @stpeterspn 1 Holdsworth Avenue, Milson Palmerston North, 4414

[Matt Strickland]

Hi Alan,

I also will also need to add notification.fortinet.net as I can see failed SPF for Forti VPN token notifications.

Whats best here? I see the SPF record for notification.fortinet.net is a /22 - ip4:208.91.112.0/22

Will that A record change at some point?

Will there be the option eventually for us to self configure authenticator apps via Fortigate or are N4L's hands tied here?

For DMARC reports I'm using Valimail for work, Dmarcian personally.

Usually MX toolbox for checking

Matt

[Alistair Baird]

Things that may catch you out are photocopiers used for scanning and ordering supplies if done via email. I have an onsite mail relay that also relays kamar emails, server backup notifications, server health messages and anti-virus alerts from our local AV server. This is set as an authorised mail server in SPF and has been configured to send DKIM signature, that way making it easy to have everything channelled through the one server.

It won't stop email spoofing from other Gmail accounts, we get quite a few, so I just manually blacklist those email addresses as they've typically been set up by a human that knows your email addresses.

I also configure email groups to only allow posting from within the domain, that way you limit spammers trying to hit groups like allstaff@ etc.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/F88BAFF9-DC91-408F-A48C-80678C0D80FD%40timarugirls.school.nz.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/C91CB6D2-FCEA-4C74-9434-E7360C69F0F1%40hxcore.ol.

--

Kind regards,
Alistair Baird
IT Manager

P  06 354 4198 stpeterspn.school.nz   @stpeterspn 1 Holdsworth Avenue, Milson Palmerston North, 4414

[aje...@timarugirls.school.nz]

Matt,

The ip address could change in the future, but in reality, I doubt that these mail server addresses change very often. Once you flatten an "include:_spf" statement it's up to you monitor whether it does or you can pay someone else to do it for you.

I tried Valimail for report analysis but didn't like it as much as https://app.glockapps.com/

I like the look of MX toolbox - very comprehensive!

Alan

[aje...@timarugirls.school.nz]

Here are instructions on how to setup DKIM for a lot of different email providers.

Alan

[aje...@timarugirls.school.nz]

My DMARC results after the first day of term and the list of unknown sources has sky rocketed! The system appears to be working well. 

Test your knowledge of the flags of the world...

Alan

[Jono Green]

Thanks for sharing! I was testing my knowledge of TLD Country domains instead 😊

 

Sent from Mail for Windows

 

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/402c075b-302a-40a8-a686-e0035011ab5an%40googlegroups.com.

 

[aje...@timarugirls.school.nz]

Overnight we went from 4 unknown hosts to 36 unknown. All because the students are back at school after the break. It was quite a surprise!

Hopefully the spam filters will use the quarantine flag in my DMARC record to black-list these senders as time goes on.

Alan 

[Yvette Ireton]

When we go to https://toolbox.googleapps.com/apps/checkmx/ it shows that we have critical problems even though we have completed the setup a long time ago and our messages to other addresses look like they are correctly signed.

We decided to test some other school domains and get the same results - are we doing something wrong?

Thanks

Yvette

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/18c2ae91-223e-4159-bcd5-6cc5b30f89cbn%40googlegroups.com.

--

Network Manager
Te Kura Tuarua o Mōhua / Golden Bay High School 
12 Waitapu Road, Takaka 7110
Ph:  03 525 9914
http://www.gbh.school.nz

I am in school on Monday, Tuesday and Thursday

[Alan Jenks]

I get the same results and also have DKIM, SPF and DMARC setup. I would try a different tool.

Alan

You received this message because you are subscribed to a topic in the Google Groups "Techies for schools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/techies-for-schools/rqGUlXWrCdk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/CAJtT%3DCDkLTXxrZ8x5umkZ99MnaynhXeBhGTNN2PH3bkdQ2Wejw%40mail.gmail.com.

[Steve Smith]

Kia Ora Yvette and Alan (and all)

If you go to your admin console and then security health you can see the specifics of your settings to double check 

https://admin.google.com/u/2/ac/sc/security-health

If that shows problems then go to the authentication page at

https://admin.google.com/u/2/ac/apps/gmail/authenticateemail and those places should show you what you have set.

We also created a webinar on this in partnership with the MoE cyber security team at 

https://vimeo.com/705234849/637c5a133e and the whole security playlist can be found at : This page

Nga Mihi

Steve

[Blake Richardson]

I have found setup most of the time is usually straight forward however if you use email services such as SMTP2Go or School.kiwi then getting DEMARC to work reliably can be a problem. 

It's probably one of the things thats best to do during the holidays and do a lot of testing because if its not setup correctly you will find a lot of emails getting caught in spam filtering or being rejected. 

[Alistair Baird]

Looking at your DMARC, you need a separator between your email addresses or you are publishing an incorrect one.

v=DMARC1; p=quarantine; rua=mailto:bl...@gbh.school.nzmailto:yve...@gbh.school.nz; pct=100; adkim=r; aspf=s

If you use mxtoolbox.com, it will also show you all your other records too.

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/CABLu1fGZFfPUqk%3DDbOw3pRguyOXY9LQ9mx72NWBECM384b6%3DxQ%40mail.gmail.com.