Email DNS Master Course | SPF + DKIM + DMARC Explained

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back in this tutorial we're going to cover spf dkim and dmarc records if you own a domain it's very important that you have these records set up to prevent email spoofing and fraud if you don't have these records set up then you will basically allow anyone to send emails impersonating your domain identity this could get your domain blacklisted it's important for every domain you purchase you set up your spf dkim and vmware records even if you're not planning on sending any emails then i will show you how you can obtain both your free aggregate and forensic reports so you could monitor emails sent from your domain these reports can give you insights and records of emails that were sent out on your domains behalf this is a dns course so you should be comfortable adding dns records to your domain such as txt records before we get started don't forget to subscribe to our channel to stay up to date with our latest training videos email spoofing is a technique used in spam and phishing attacks to trick users into thinking a message came from a person or an entity that they either know or trust if you don't have spf dkim and dmarc records set up spammers can easily send emails impersonating your domain identity email spoofing works on exploiting human trust where the attacker can ask the recipient for sensitive information or to take some course of action that could result in fraud using your domain identity regardless of the goal or type of actions the spammer aim for most of the time spam emails are easily detected by the mail vendors such as gmail or microsoft and if such emails got sent out this could get your domain blacklisted if your domain got blacks listed it's basically game over as it would be nearly impossible to reverse that process any email sent out from a blacklisted domain will automatically be marked as a spam and in many cases it would be even blocked by mail service providers it's also worth to mention that more than 90 percent of cyber attacks start with an email message and there are more than 3.1 billion domain spoofed emails sent out per day to protect against all that you will have to set up your spf dkim and dmarc records it's very easy to do and literally it should take you few minutes to set it up once you fully understand how it works spf stands for sender policy framework it's basically a text record that you add to your domain's dns it's used by all mail providers such as gmail and outlook so that they can detect and block email spoofing and unauthorized mail sent on your domain's behalf your spf record allows you to specify one or more ip addresses or domain names that are allowed to send mail on your domain's behalf your spf record should list exactly all the servers that are authorized to send mail on your domain's behalf and should tell the mail server providers how to handle an email that is not authorized for example if you are using outlook for your email provider then your spf record would look something like this the first part v equal spf1 this line specifies the spf version the current spf version is one this is required for all spf records this line should always be added the second part include the colon in the url for outlook consists of two parts the include colon is called mechanism and the second part the spf.protection.outlook is called directive the last part also consists of two parts known as the qualifier and the directive putting this all together your spf record should always look something like this we will cover each part in detail but to give you an idea this record is basically saying that the url spf.protection.outlook is a third party email vendor and we authorize that vendor to send emails on our domain's behalf the include part basically copies the spf record stored inside that url the last part is saying all other emails not included in our list should fail which means that the email server provider will report the email as spam so far we know that your spf record should always look something like this your spf record is read right to left so if an email got sent out on your domain's name you would list all the authorized server ips that can send emails on your behalf otherwise the last part tells the email service providers how to handle emails that are not authorized based on the qualifier you use there is four different types of qualifiers the first one is the plus sign this is the default qualifier it's used if you don't specify any other qualifier this qualifier means that the email service provider should always accept the incoming email i don't recommend you use this option because you don't want to have any unauthorized email using your domain name to be accepted the second qualifier is the dash sign now i always recommend you use this qualifier this qualifier will tell the email service provider to always fail when the email is not a part of your authorized list the third qualifier is atilda this qualifier tells the email server provider to accept the email but mark it as suspicious so basically throw it in the junk folder the last qualifier means neither pass nor fail this qualifier tells the email service provider that your spf record says nothing about passing or failing i always recommend you use the dash qualifier to make sure all unauthorized emails are not accepted now the last part in your spf record is a combination of mechanisms and directives this is where you can list as many ip addresses or domain names that you want to authorize when an email is sent out on your domain's behalf the email service provider receiving your email will check if the email is authorized by looking in this list there is five different mechanisms or let's say five different ways you can authorize servers you can authorize mail servers by domain name using the letter a for mechanism so if you want to authorize any domain to send email on your domain's behalf you would write a then colon then the url name the second way you can authorize servers is by another domain mx record to do that you write mx then colon then the domain name where the mx record is stored the third way to authorize is by ip4 address or ip4 range this mechanism is straightforward you just write ip4 colon then the ip4 address or the ip4 range that you want to authorize the fourth way is to authorize servers by ip6 addresses or a range of ip6 addresses similar to the ip4 ui ip6 colon then the ip6 address or the range of ip6 addresses the last mechanism you can use is include and this is what you will use when you want to authorize third-party email senders for example outlook or gmail once you create your spf record you basically add it to your dns by creating a text record under your domain name now once you do that you want to actually validate if your spf record is working so you could use mx tools validator so for example let's type spf validator and search that on google and you should see mx toolbox and this is a very common validator you would simply write your domain name then you want to click on spf record lookup and you can see that this is my spf record and it's all in the green unless you're hosting your own mail server you probably don't need to worry about setting up dkim records as it would be set by your mail vendor such as google or microsoft or whatever you're using if you guys are running your own mail server and would like me to create a tutorial on how you could create dkim records post a comment and if i see more than one person is interested i'll make a video on that otherwise i will briefly explain how dkim works and what it is dkim is a lock-in key authentication process used to make sure that messages are not altered in transit between the sending mail server and the receiving mail server the dkim authentication process is very simple the first step you create a public and private keys either using rsa sha-1 or rsa sha-256 signature algorithms you add the public key to your dns record and you store the private key either on your own server or with the email service provider for every email sent the sending mail server adds to the email header a dkim signature that's generated using the private key the receiving email server extracts the dkim signature from the header and it validates the message using the public key stored inside your dns if the dkim signature is valid then the email is sent to your recipient otherwise the email will go to spam or junk unless you're running your own mail server you don't need to do anything dkim is all done by the email service provider stands for domain based message authentication reporting and conformance the mark was first published in 2012 it's a protocol built by google microsoft yahoo and paypal to prevent email abuse it is supported by all major mail service providers if not all dmarc is used to determine the ethnicity of an email message it lets you control who can send email using your domain and allows you to set various instructions for the receiving email server to get started with dmarc you must have both your spf and dkim records set up for your domain once you have both your email spf and dkim records set up then you can add a dmarc record to your dns it's basically a text record it includes instruction for the receiving email server on how to handle mail sent under your domain that does not align within your policies you can also instruct the receiving email server to send you both an aggregate report and a forensic report your dmarc aggregate report contains information about the authentication status of messages sent on your domain's behalf aggregate reports are free reports that are sent to you and contain information such as the source that sent your emails the domain name that was used to send messages sending ip addresses the number of messages sent on a specific date and the dkim slash spf authentication result and finally your dmarc results dmarc forensic reports are generated when the spf or dkim do not align with your dmarc forensic reports are free reports that are sent to you only when an email that is sent by your domain fails dmarc authentication it contains information such as email to field the email from field the ip address of the sender the email subject field the authentication result the message id urls delivery result and the isp information you create a dmarc record by creating a text record for your domain named underscore dmarc for example this is what the value of a dmarc text record could look like the syntax for dmarc record is basically a combination of tags separated by semicolon at the bare minimum your dmarc record should look something like this the v tag specifies the dmarc protocol version there is only one dmarc version available which is the mark 1. this is required field so you should always have it included in your dmarc record the p tag allows you to specify how you want mail service providers to handle emails that are sent using your domain identity but are not aligned with your policy you have three options do nothing or you can quarantine or reject the email i highly recommend you set it to reject the email to prevent anyone from sending emails using your domain name both the v and the p tag are required now we will cover all the other optional tags the sp tag is an optional tag similar to the p tag it allows you to specify your policy but for sub domains on your domain name if you don't include this then the value inside your p tag will be used the pct tag is an optional tag it allows you to specify the percentage of email messages in which your stated dmarc policy applies for the values can be anywhere from one to a hundred percent i always recommend you set this field to a hundred percent this tells the email receiver to reject 100 of emails that fill the mark authentication the rua tag is also an optional tag it allows you to specify an email address or addresses to receive the mark aggregate feedback reports tool i cannot emphasize how important it is to have this field set up even if your domain does not send emails you should always set this record so you could get insights into domain spoofing or phishing attacks that impersonates your domain you can specify multiple emails by separating them with a comma i always recommend you have this tag set the value of the rua tag can be any valid email address the ruf tag is also an optional tag it's like the rua tag but allows you to specify any email address or addresses so you could receive your dmarc forensics reports tool i always recommend you have this tag set as well even if your domain is not sending emails the forensics reports are sent to you when someone attempts to send an email impersonating your domain and it fails your dmarc and dkim authentication it instructs the email service providers to send you a copy of the email that was sent the fo tag is also an optional tag it allows you to tell email service providers that you want email samples if the email failed you have four options the zero value generates the report if all authentication mechanisms fail this means your spf and dkim policy fails you also can set it to one which generates reports if any of your authentication mechanisms fail spf or dkim so the zero one was only if both of them fail the one if either of them fail the third option is the d value which basically generates reports only if your dmarc failed then you have the s value which generates reports if your spf fails you can specify multiple values by separating them with a colon i personally recommend you set the fo tag to 1 so you can receive a copy of any email sent on your behalf that fails either spf or dmarc authentication the aspf tag is an optional tag you can use this to specify if you want to set your spf policy to strict or relaxed by default if you don't include this option it's always a strict which is your best option remember guys your spf policy basically makes sure all emails sent using your domain are authorized to send emails we also have the a d k i m tag which is identical to the aspf tag but it's for your dkim policy the rf tag is an optional tag this tag allows you to specify the dmarc forensic report format there is only one value which is afrf this is used by default you shouldn't really need to include this tag but maybe in the future there could be more reports types the last available tag you could use is the ri tag this is also an optional tag the ri tag allows you to specify the aggregate report interval in seconds the minimum and default value is 86 400 seconds which equates to 24 hours this means every 24 hours you will receive a dmarc aggregate report i recommend you keep it set to the minimum once you have set up your dmarc values let's go ahead and validate it so the best way to do it is to go to google and search for dmarc validator and you should be able to see there's a result for mxtoolbox but any of these will work mxtoolbox has a really good tool and let's go ahead and search for a domain i have set up my dmarc records for my own domain and if you did it correctly you should be able to see your dmarc values here and you should see that you have no errors thank you for watching if you found this tutorial useful then i would appreciate it if you hit that like button otherwise make sure you subscribe to our channel to stay up to date with our latest training videos if you have any questions feel free to post it down on a comment below and we'll see you on the next video

Info

Channel: AHT Cloud

Views: 302

Rating: undefined out of 5

Keywords:

Id: S6id_BPFHcY

Channel Id: undefined

Length: 21min 13sec (1273 seconds)

Published: Sat Oct 16 2021