For The Record: SPF, DKIM, and DMARC Records

now that's the one okay I'm going to cover X PFD utmsu mark records but first we're going to cover why you are what we're going to come I'll show you what we're going to cover it started here I'm going to tell you why you care about this what the records are who needs to use them his hint is you and everybody else what happens or is already happening if you don't use these records how to deploy them how to check your status and what does not fix which is a short list that's growing as people ask more and more questions my colleague F doesn't take that wrong way there we go okay email delivery is critical to business

if you can't put messages in people's inboxes that's a problem this helps fix that or maintain it your domain reputation is becoming more and more important as things move forward it's not just IP based reputation for black lives now it also so main names are also attributed to spam scores now so you need to protect your domain you cannot give reporting back on servers that are not under your control so you using Demark you start getting reports back on emails that are sent on your behalf from Aluva that's not yours so that's something totally new and as a fee mark that you can get done you can get that information without having to log into

somebody else's server if you're a consultant there's billable hours here it can be a big project if it's a large company some companies some of the larger companies are having top teams is taking years to complete DeMarcus I'll show you why as we go through there's a lot of lots of cover everybody needs to be doing this because it's not it prevents fraud if you do this for your domain here and you go right nobody can spoof email you and that would be nice to all the gym of the language in it there are a few experts out there so you can become an expert and people will turn to you for advice and consulting you can be the

hero in your organization and if you are pen tester or social engineer you need to know how this works so you can know this and when you can coop someone email their domain for email purposes my name is Christopher I'm the director of technology at challenges pork and challenger team where they sell Lenexa Council work with a company called steno limited set of ulnar abilities assessments out of New York impulse exercise comm is my website you can find all these slides etcetera there for free so SPF record tells the world who can send as you it's effectively a whitelist you're saying this last address in this IP address intended me and nobody else may be Kim is a digital signature and it

sells whether or not you sent it and D mark tells what's the two about the answers to SBS and D campus does it align and it gives you metrics back that was receiving mail from you since your report at the end of the day and say what's going on so when you send a message goes it leaves your server and hit these my server and get to deduct on your server before putting it anywhere does it check it looks up my DNS based on the from header and the email it looks at mining as it looks for is there an SPF record and should I based on this mission should I accept reject or accept

the harvest message plus the GPM indistinct your ballot and then ask based on the D mark policy what should I do with this message if it's not allowing an SD SMD sample you can apply no action you can quarantine it which means spam folder or you can reject it outright so that's your three options that's in a nutshell as long as you understand this we can move forward and you'll be able to build on follow along Center Quality Framework SPF it answers this question is a given IP address and all host names resolve ax and IP address so that's basically what you're doing I'll throw out this in mail for your domain the answers yes past no fail or

soft fail me maybe I'm not sure web I'm we're still we're gonna thing basically a little more now this is a DNS lookup so I look up you calm on your SPF record and you have an inclusion for underscore underscore SPF google.com then my lookup of your SPF record makes me look up Google's SPF record so you can include other companies SPF records ultimately you get a list of IP addresses that are authorized Enders that's what happens but if you work with a lot of third parties MailChimp SurveyMonkey Sarah there's all these different third parties you're limited to ten lookup so you have to find a way to make sure that you don't overload it

or you break SPF record is limited in size so you can't just put a whole but son of IP in a whole long giant stringent sometimes up to break it up into FPS domain STS blonde out your domain to tie your domain if you want do a big long list it does not survive forwarding if if you receive a message and then forward it on from you if you receive a message from me and then you forward it on as if it was from you get from your IP address it does not appear to come from me and it will fail SPF which is our weekend comes in you say Ted look up see 10 jumps from play get included work

including iron in netted look up so if I have an include that has nested include they all count towards that so I can have one include the head of nine more underneath and that's all pin yeah I Caesar finds it but the eye piece is where this box has 512 bytes comes in because you can have big long list but it maxes out on the return traffic so GCM survives forwarding if it's done right all the major providers can forward and preserve D fixators what it does is it authenticates with a digital signature it identifies it does not prevent message multiplication it just identifies message modification so that it breaks the signature and it can

uniquely validate multiple senders so your AWS or M zone at the ED service and your MailChimp and your G sweet or your office 365 they can all independently sign messages so you can tell where the actual source of that message was and then so this is that's the coverage of those basic things D Marcus we're going to focus our time here domain based message authentication and reporting in conformance the reporting is the key word here is my favorite this is an action policy again for messages that are not aligned with both at PS and DM it's important to note that it is symmetric acid SPF and sales meet them novi mark policy is applied and vice versa it

failed SPS book passes with a valid signature nogi mark positive applied d mark is what to do with stuff that and sales your test it also allows for percent based application sees they reject 50% of messages that don't align with my own policies and it sends back to report to you at the end of the day so when Gmail's receives an email or 100,000 emails on behalf of my domain calm doeth users and when outlook 365 and yahoo they all receive mail on behalf of my domain they send back to report at the end of the day at a route fifty thousand messages from the different IP addresses this is some of the sources we received

on beatitude the adoption rate d mark is so clear blue as bad and dark but 42% out of 2015 which is pretty low and that's global organizations not mom-and-pop shops so it's way lower in general than that and these Demark adoption does not necessarily mean they've got a fully 100% reject compliant Demark policy they just have one so this number needs to rise and you guys can help make that the verticals i'm not rush to this will the social media is the highest vertical because they're prone scooping a lot people just click on those messages like crazy that's just what happens so they realize the importance of be more I thought something from Twitter a couple weeks

ago [Music] let me mark - more difficult healthcare really low rankings that are really low on the list really disappointing to me

my thank you yeah lucky I rebooted this morning just because yeah we're not out

we shall see turn it back up [Music]

anyway you guys can be the heroes and champions of Demark your place even just getting it started like I said you can get Newmark started today with information that you're going to get here and from my website I worksheet you can get your SPF records built and your Demark solidi deploy it just to start gathering information not doing anything to it just get it on there

there we go I got Drago

okay key question should you use Demark or all these variants should you use these things on all of your domain keyword at all does the one-legged duck swim in circles yes you need to use these records on every single one of your domain even the ones that don't send so what happens if you don't use them no records it's just an email it just lands in somebody's in boxers no authentication there's nothing there that tells them that it is actually an authorized email on behalf of you calm scooping is incredibly easy all I have to do is stand up HTML to run my Windows 10 laptop and then the way fire way it goes through right at you and it looks

like you're sending emails of people so what happens gives you at MPF record you get a nail file this little snippet is from Gmail you get mail by our kfdm so that's a little bit about the ignition it says that it is from a valid IP address if you had a begin you get this time by mail by side line John dirty work on something I work with and if you got Demark it's still being adopted through all the major providers gmail has this little this little scheme here DocuSign is a good example they have 100% reject policy any messages does not align with their SPS or Demark records or DCAM records is rejected outright

does not land it so many pins on that's a good thing that's what we should all be shooting for at gmail analysis balance which is that little key that says it's authenticated so how we can start here you want to protect yourself from people committing damages FBF the way you do is you gather a list of your domain all your domains including subdomains it's in mail just write them down it'll an Excel spreadsheet doesn't matter and the sender so if you use G tweet but that almost is office 365 on the live AWS or Amazon FDF MailChimp any any third party or internal organization units that sends mail on behalf of your domain or one of your subdomains needs to be on

that set now I can guarantee if you're not a really kind of shot you're going to miss something you're going to have to go back and review that so keep that list you're going to build an SPF record and publish it you're going to do it again like I said so you're going to fix it and send it and republish it the public is the Public DNS record so I can look up here at SPF record right now if you handle at all also if it's an on sending domain it's very simple it's a no record v equals SPF one - all like I said this is a whitelist here's your Whitely this is whose allows agendas you

nobody right so if you're not sending domain public statues and you're pretty much done creating so what does this look like you've got this intact here version SPF one the pluses are not necessary the pluses are assumed so you're saying include this allow it make it pass if it's in here the only thing you need is like a minus or a neutral so what's this thing saying my difference look at my a record and whatever IP address or addresses aligned or are behind that are authorized to send everything behind my MX records all a person is me and it this manner and then everything else is a soft veil which means as it comes through we're

going to take a look at it if it looks pammi we're going to throw the spam if it doesn't look spammy we're going to call okay so that really you should be shooting eventually for the Mayans all so anything that's not honest explicit list is no longer up in an authentication stand now as you this will do exactly what you say if you put a - all before it's time to do so that's your - off and here's a message from some of the departments that did not tell you they're using Survey Monkey to send mail now none of the surveys are getting delivered because you published a - all before it was time just a soft

fail to get started we've gathered some information and then go back and fix or update the record so real quick look up this is a new marketing com+ SPF - survey were just fantastic it's a great tool so I use that challenge for cities a company called blue top down to third-party mail host it has ten DNS query mechanisms in it so as a third-party service provider they have used all ten of my lookups that's not cool that's real group so if you're a mail service provider or you host email services make sure that you're trimming your FPF record down to a very compact form because it's courteous to people who have ten lookups so if I includes

SPF not loot I calm all ten of my lookups are used for challenger sports.com that's pretty stuck now the tool shows me include SPF flu time economist makes a little configure so they're saying IP for etc so they're doing Network and then they say include server data on that because elastic grips I found in Cooper's weapon in demand include SPF protection I look at that bomb that's a bunch of nested lookups that's used up line so make sure you're aware how many lookups your are at your third party service providers one of the ways to get around that again is to and in subdomain you can they say surveys that calendar sports comm uses Survey Monkey etc so

that it that stuff that may have a template of lookup I noticed b-sides kp.org has no SPF record so that means anybody can send you on them security be sighs calm does have an SPF record so it's allowed it's got four lookups and it allows 239,000 specific IP addresses this SPF google.com expand out this list of IP address

okay that just speed up in a nutshell next we want to avoid identity crises used ECM to sign your messages that way people know if you're mute again you're going to reuse that same list of senders from your FBM record set up during your selectors and keys a selector is like a it's an arbitrary thing it could be 1 2 3 . underscore DCM chalmers porch.com it's just a unique identifier for each sender and then you post surprises or a public key so they can check it with those digital signature that means I'm going to have a different record for G sweet and I do for AWS so here's the audacity your selector at anything

dollars for domain values vehicles became one and it's an RSA key 2048-bit there's no reason to use 1024 at this point if you've got ten twenty fours go of things it's not a really hard kill stew okay so now we're on d mark you start with a no action cause if you want to see what's out there what's going on and you need when you do this you start getting reporting back you want to make sure that you use the reporting period that covers your actual business cycles through the year if you have a dead season and you get on this hey I can do D mark now because I'm not busy and you publish the d mark record

and start gathering information and there's only two sources of mail and then you lock it down and then your marketing season hits the next month you've blocked it down in your marketing campaigns just got rejected so make sure you accompany your business cycles in your review of D market report so the is for your DNA underscore Demark values V equal T mark 1 P equals none they're using D mark no policy just send something back to me you have to define a thin back address like this are you a equals male 2 and you cook whatever address that's going to be and then you move from no policy to quarantine quarantines you can start at

1% 5% that's what gets shove into the spam folder and you watch the reports you want to see how many messages are getting shoved into people's spam folders and make sure there's a JIT fraud it says the thing make sure they're actually fraudulent messages that are getting put into the spam folder before you turn it up to 50 percent for eternal 75 do it gradually or you will break something I did I broke about a 40,000 email marketing campaign because I took some of these words or one of my domains that doesn't send mail oh yes we don't use that okay fine so I turned it up and block 3000 messages and that's Patera Oh

these into rejecting after you're satisfied with your quarantine your quarantine a hundred percent of messages that means they're going to people spam folders once it's doing that right you ease into rejecting you're going to reject one percent five percent some start low please reviewer for big problems this is going to be where you contact the marketing team and say hey look you said you're only using businesses but I've noticed that you're also using Constant Contact it is that actually you guys through some rogue sales guy trying to up in sales by doing private marketing campaigns that are on top right you'll find that sort of stuff depending on your organization that's what the reporting for you don't

necessarily want to break that maybe do it maybe you don't like that they'll kind of doing it but you can visually get it up to hundred percent report now let's look at simply mark records real quick there's and there's more information a lot more information on the syntax in this record online website version positive and reporting address the only two that are required are these do the version and the policy so it's a non pending domain you know a hundred percent that it's not really the main like you bought it just so reserved publisher no less PF record and a reject record these will be mark want all tables reject that's all you gonna have

everything else is optional and they're not necessarily they don't see it anymore so this is what happens to a message when you get a little bit and a little bit too antsy and you hurry things along you're going to see an example of message that should have been delivered successfully but wasn't because you'll see these guys push out their policy a little too fast there goes the message there goes to quality and that it's not now here's the politics they push it out way too fat they should gather more information before they push out there don't be that email administrator take your time gather reports and joke right how do you read the reports they come

back as XML reports of day on the day so Google email Chandra sports comm reporting address at the end of the day hey we received 100,000 emails from you one is from you know 50,000 were marketing emails from this IP address and this IP address etc you can create a free account at DiMaggio MD marketing call themself do Martian but demarking comm is also lagari and return path there are multiple providers for the service [Music] they'll have to hurry through the quiz here bridges live and test yourself Demark this is the bottom line Demark is concerned with alignment so if something does not explicitly pass your SPF is not aligned even if it's soft fails that's not a path that means it

does not pass SB up to the purpose of team arcology application and with some time that doesn't happen detail so how can you achieve polish does follow me this is in the last month this is a real dashboard our chart from Marcy comm five points there hundred million message messages have been this is my total email volume across 40 domain 5.6 million messages are fraudulent and they're being blocked so i'm gloppy 99.999% of all projects email because I'm still working on stuff so Jim is volume is discrete chart green section and the great because there's forwarders that are sending their forwarding either legit mail or villages mail and that's something I gotta work out a little bit but I'm only do in like

less than a quarter of all the email it stems from my domain from my domain is actually legit the rest is not and it's being blocked because I'm using damar here's another this is an older with the seven-day sharp from early March we've got the daily volume is just for one of my domain 50,000 one day eight three thousand the next day these are fraudulent messages that are not landing in people's inboxes anymore so what kind of stuff was blocked now that I'm using new mark this is a LinkedIn message all the links pointed now this is a real story I went into my team our dashboard and looked at the source IP and I look

at the pointer lookups of those IP address rather than what glinco industries have this email will be sent on the has a from some other compromised web server somebody's a server have been compromised with sending emails at my company the links in the email I give this back from terrific reports at depart in eBay it's a LinkedIn message but all these points ministry college is a construction company in Florida /wd content in consequential at PHP which is a redirect to minion health care in walls and Russia that some dot are you website so viagra as well as eighty six men that's not letting people dig boxes anymore now when I went to glinco industries comm

just to check the site out this is all linked linked linguistically so they got called I called I talked to the owner I said hey did you know that you're not being true but did you know that your domain is being used fraudulently it's hosting malicious links he said no it's they hadn't been updated in a year ahead he's working on getting that fixed right now so that was like two weeks ago that I talked to the guys but I'm helping other people out too I also found saw that Fresno gov the president California was sending four thousand messages in the last couple of weeks on behalf of my domain they said of a mail campaign Rob I

talked to the coordinator the Athletics coordinator in city of Fresno I helped her fix it so now my guide messages are lighting and people's inboxes instead of not how are you outside rushing through right through yeah so some of the links on that page point to congratulations from the wheel when I don't more emails that are not being delivered on behalf of my company so you can check your stats gimmicks to box.com you get a pre account there no problem / domain last year domain I think I actually want to do my live demo real quick because it's more impactful than a thumbs up betimes KC has no escape record and no T mark record so what can you do with that -

since whatever the crap I want let's go check my gmail after love this chrome crashed here we go 5 ml Vicente see if your oh my watch let's do what we got don't forget trying to sleep us during your presentation so you look extra cool if it works we'll take you to come you and all the other p5 conferences rock out with your register bang Oh a random web page people can do this on behalf of your domain right now if you don't have this set up right so go set it up go fix it I can do this all day and people are doing this all day to me up now that gets rejected but they were doing it for

I don't know how long then another film and etc no longer happening Go Go Fish and let's wrap it up real quick to review you have to identify your senders and all your domain build a list find their SPF records creates GCM signatures if you can't some of them you don't have to and then build your to mark record and start gathering information let's just do that there we go monitor and adjust both your SPF and DKIM Demark records and you'll be on your path your way of protection this is not based against idiots and did not big fish email account so if I can use one of your users accounts it's going to come across as sign digitally

signed messages it to give you guts incompleteness yourself it does not stop a fish two counts for sending mail on behalf of you because that's totally legit it does not stop the to look like domains it does not stop other domains that look legitimate this is to protect your domain only and this is kind of why we need everybody to do it it does not also stop processors from standing up their own domains and signing messages they can send authenticated spam that's where user cranked them yeah include displayed a ton of resources to click and follow you can kind of follow up my learning paths with I don't have time for questions don't contact me co-op this I would like

feedback if you have any questions you're welcome to follow up with me I'll be at the championship now I was choking to the front though whoo

it's really important stuff Deepak records emails think about how much business we actually do on a day to day basis through our email how much is security