SPF, DKIM, DMARC was never so simple! // EasyDMARC

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

if you're administrating your own email servers and systems chances are pretty high that you had at least one time a problem with it either your emails got rejected when you were sending stuff to somebody or other words you were affected by spam campaigns and fishing this is actually a big problem we have in email communication in general because not only can a compromised email account lead to serious security issues no sometimes spam is also sent to others on your behalf using your real name and your real domain even without any account of you being compromised at all I've seen this problem a couple of times in the past in some companies and this of course can seriously damage a company's reputation that's why many server admins usually Define strict policies on their REM systems you might have heard about SPF dkim and Demar before and since the last years there's also something new called Bei if you haven't no worries I'm explaining it all in this video and because I know it's not easy to manage all those things on your email service and systems I want to show you the perfect solution that I'm by the way using my myself on my own email systems for that easy DeMark easy DeMark is a cloud native service provider for outbound email security and it helps you to stop ransomware business email compromise fishing and some other nasty attacks it's perfect for midsize to large Enterprises to level up your email security and reputation but because they also have a couple of interesting tools and features they provide entirely for free it is also perfect for us homelab people who just want to like to run their own email servers and configs so let's check it out together if you want to get started and level up your email security just go to the homepage easyd mark.com and create an account entirely for free and if you want to use that for your company and business to secure outbound email communication just reach out to the easy dmark team they have a dedicated customer support and they will walk you through all the necessary steps on how to configure and set this up on your email systems of course we will cover some of their features and products here in this video as well but I also want to explain some of of the Technologies behind it and why you actually should use them on your systems if you have created your account and logged into the dashboard of easyd Mark it will show you a great overview of all the domains you have added to their managed system and whether you have correct DNS records in place such as Demar dkim SPF and Bei and it will also show you some graphs and statistics about the volume of outbound emails and whether they are compliant with your security policies if there are threats or unknown emails and it will sort them by top sending sources so for example if you're using Microsoft 365 or Google workspace maybe some other tools for sending outbound email campaigns and so on they will all show up here and you can very easily identify so whether everything is working and if you have all the DNS records and policies correctly set up so let's take one step back and talk in a bit more detail about SPF deim dmar and be why do we actually need them because technically all those records They Don't Really protect you from incoming spam as I mentioned they are all developed for outbound email security but you have to look at this from both sides yeah you want to make sure to protect others against spam campaigns that might happen in your name of course and by implementing these Technologies on your mail server systems the other email servers that receive emails from you can look up if the email that is arriving at the systems is truly sent by you or if it was an attacker on your behalf it's great for protecting your partners and companies you have business communication with but I think it is also important for yourself because other email systems might check what is your reputation and if you are a trustworthy sender so this could be especially problematic when you want to send newsletters to some of your clients and this for some reason doesn't work and if you don't do anything to secure your outbound email communication others might just reject your emails in some cases because they don't trust you as a sender and honestly as an it pro it just makes you look bad if you don't have these things in place for securing your emails if you want to use Easy DeMark to manage your outbound email security you first of all have to add your domain to it so just click on ADD domains and this will give you a list of all the domains that you are currently managing in this system as you can see I have one email domain that I'm actively using for my email communication and another one that I've just added for testing if I want to add another email domain I click on ADD domain and for example we can type in the digital live.com which is another old domain that we can use for a test and if I click on add this will tell me exactly what type of Records I need to add to my DNS provider so that it can be managed by easyd Mark it's very easy to add this to your DNS for example I will show you that on cloudflare so here I am in my cloudflare DNS settings I go to DNS records and add another record that is a c name for the hostor core DeMark and then I just need to copy this value here put it in the Target also make sure that it's not a proxied DNS record and click on save so now we can go back to easyd Mark and verify it it shouldn't take long it might take a few minutes to be propagated but as you can see in at Cloud flare this is very very fast and it has been successfully verified so now that we have added this domain to easy de Mark we should see it in the table here and this is where we can now verify the status of all the outbound security settings as you can see dmark is automatically verified because of that record and now we could also set up SPF deim and Bei and let's take a closer look we will start with SPF which stands for sender policy framework and this technology helps you to prevent email fraud and spoofing it works just like most of the other outbound emate security Technologies by setting a record on your DNS that others can check to very ify if any inbound email sent on your behalf is truly sent by your server the way it works is if you are sending an email to somebody your email server usually uses its public IP address to establish a secur connection to the receiving mail server and this address you have to put in an SPF record on your domain so the other email server that is receiving your email can easily check if the source IP address that the email was sent from matches with the real IP address on the DNS if somebody tries to spoof that and sends a malicious email on your behalf its outgoing public IP address will most likely not match with yours on the SPF record and the other email server can now just reject it as spam to generate such an SPF record you can easily just use the SPF generator in the tool section of easy DeMark so here you can just enter your domain so that you're using to send emails and then you can add the address of your email server such as is the public ipv4 address IPv6 address an a record and MX record so those are all the valid settings that you can use for example here I could just easily type in the public IP address of my server select the failure policy so for example not compliant will be rejected not compliant will be accepted but marked as non-compliant and neutral so this is what you probably should not do so I would mostly just start with a soft fail so that your email on the receiving ma server won't be always rejected but it should be marked as well there's something suspicious going on because the SPF record has failed and then you can just click on generate and as you can see it automatically found out that the ipv4 address that I was using is invalid so of course 273 is exceeding the ipv4 range but I mostly use this as an example to not accidentally use valid ipv4 addresses for demonstrations that I don't own myself as so as I can see the generator of easd Mark will always check if you have any errors in your SPF record but let's just assume this would be a valid ipv4 address then you could just easily copy this and put as a txt record on your DNS system so this works great for any selfhosted email servers that use public ipv4 addresses but if you're using a different manage system like Office 365 or maybe uh Gmail workspace they most likely don't give you an ipv4 address or their outgoing ipv4 addresses might always change from time to time and of course you don't want to always upgrade your DNS records so in this case they most likely give you an include statement you should add in the SPF record so for example this is the official documentation from Gmail so there they will give you an include statement foror spfg google.com so this you can just copy and put on your SPF record and if you're using Microsoft 365 then you should add this SPF record so for example if I would want to generate a record for the digital live.com for example and I'm using Gmail I could just use this include statement here add it in here and add another one if I'm also using Office 365 for example so I'm also grabbing this include statement put it in here and generate an SPF record so as you can see this is valid and easyd Mark also shows you automatically all the IP addresses that are affiliated with this managed SPF record from Google you can see I'm using this here and this is the include statement for Office 365 so this is the SPF reord that I could just easily copy and paste on my DNS system however there are a few challenges that come with managing it this way so the first is there is a limitation of having maximum of 10 include statements in one SPF record so if you're using different outbound email systems so maybe you're using Google workspace you're using Office 365 and some other tools for for sending outbound email newsletter campaigns and so on if you have more than 10 include statements it will likely have some result in some problems and also if you're changing those tools and you want to add more include statements you always need to regenerate this record and add it manually on your DNS system in Cloud flare there's a much better solution in Easy DeMark for managing this and this is called EAS SPF if you want to use the managed easy SPF solution in Easy dmark you first of all need to activate this for your domain by adding another DNS record on your system so just select the domain you want to activate this click on activate and this again will tell you all the DNS record settings that you need to add to your provider so here let's do another example I'm just copying the host name here and go to Cloud flare add another DNS record this time from type txt add in the name here so this should always match your domain name and then copy this value here and put it as a Content so instead of adding all those different include statements manually you just add this one record and easyd Mark will automatically manage all the DNS settings and include statements for you in the table so once we Sav this and added the DNS record we need to click on verify and this might take a while for the DNS records to be propagated it can also take up to several hours so I will just show you this for another example domain that I've already activated for example this is my currently active email domain that I'm using and as you can see it will show you all the include statements that you previously had on your SPF record so it will always import all the include statements and show them as a table here and here you will find all the different sources like for Microsoft 365 Gmail workspaces all outbound email campaign tools whatever you're using and you can easily just activate deactivate them you can also add another source for example if I want to use uh yeah Google workspace here I can just type in Google workspace you can see they already have a template added for this so you even don't need to look this up yourself you can easily just add this as a new source and what easy SPF will do now is they manage all this entirely for you so you don't even need to touch your DNS records again you can always add new data sources change them and even if they exceed the limit of 10 include sources don't worry about this if I now save this record and go to tools SPF and if you check the SPF record of your domain again you should see in the SPF lookup tree an SPF record that contains all the public ipv4 and six addresses of both of the services Microsoft 365 and Google workspace all managed easily in one simple record through easy SPF that's really amazing right SPF is a good first line of defense against spam campaigns however just the send us address being authentic of of course doesn't say anything about the content of the email itself because if someone spoofs your Source IP address or somehow can tamper the email in transit SPF doesn't really protect against it and this is where deim domain Keys identified mail comes into play it adds another layer of security by attaching a digital signature to outgoing emails it utilizes public key cryptography specifically using algorithms such as RSA or ECC to generate private and public Keys you might know this from TLS or SSH the private key is used to create the digital signature which is added to every emails header that you're sending while the public key is stored again as a record on your DNS so that when somebody receives an email that claims to be sent by you the other email server can easily verify that digital signature by using the public key from your DNS record and this is a very very secure way to verify the email's content is truly created by you to generate this private and public key for your diim record you easily can use one of the free Tools in Easy DeMark to do this so click on tools diim generator and then you can generate a private and public key for diim for any given domain that you want so for example let's do this for the digital life.com add your desired selector so you need to create a separate key for multiple systems maybe so you can differentiate between Google workspace Microsoft 365 and maybe your custom email server any other outut data sources I'm just going to add S1 here as a test and maybe adjust the key lengths and choose something like uh 2048 for example and click on generate so this will generate a record that you need to put again as a txt record on your DNS so make sure you copy the first part here so this is the S1 the selector doore domain key go to Cloud flare and add a new DNS records again as type txt add this here the selector and the the and theore domain key as a name and then this value here as the content value and save this so now this is the public key that you have published on your DNS and this is a private key that you can easily copy and upload on your email server so the email server can use this private key to create a new digital signature and attach it to every email that it's sending out and the receiving email server can check with this public key on the DNS if the digital signature is correct now this works very well on any custom eil server where you can import a private key however on some managed services like Google workspace or Microsoft 365 this is not always possible because a Microsoft 365 you have to use the internal tools to generate this diim key they won't give you the private key to download only the public key so you can easily just look this guide up and follow it but I will just quickly walk you through for example because I needed to do that on my Microsoft 365 account as well so here in the admin Center you need to go to security then select policy and rules threat policies email authentication settings select diim and then when you select your domain it will show you a window so here you can see I've already enabled a dikim signature on this domain in Microsoft 365 if you do that the first time it will give you an option to generate these keys and download the public key and the txt record you have to put on your DNS again I don't know why Microsoft always hide those settings in those complicated menus but yeah that that is how it works and then once you've published your dkim record and you attached the private key on your email system you can easily just look up if the domain has a valid record you can see so this is correct here and for all the domains that You' have added to easd Mark you should also see a valid a sign here for diim so this is what we've just added on the system now if you want to test this I would strongly recommend you to go to email investigation and start a test because of course you want to check if the diim private key is correctly used by your email system to create this digital signature so click on new test and this will give you a temporary inbox that you can use to send an email too so let's copy this and let's write a new email to this inbox email Test free for example just put test email in here that's totally fine and send this and now after a few seconds you should have a new email here and you can click on the compliance to check if your key and signature was correctly attached as you can see everything just works so I have passed the Demar check with SPF and diim diim was passed in SPF also so this is great if anything fails for example if the diim key wasn't n imported correctly on your email system or you have uh published your DNS record in the wrong way you should see an error in here so for example diim failed and you can easily troubleshoot what you need to correct on your system now SPF in diim are really amazing but there are still the question how effective are they really because it's great that you have configured SPF diim but not everybody on the internet might do that so in reality email servers will receive so many emails from legitimate clients that might just have SPF but not digim set up correctly others are totally lazy and don't do anything but of course you don't want to automatically reject every email from a domain that does not have an SPF or dkim record because then you would probably block many legitimate emails too so how should the receiving email server know whether it should reject an email or not when these checks are failing this is exactly why you need Demar domain based message authentication reporting and conformance I don't know who came up with this name the way it works is again you have to publish a record on your DNS and this includes instructions for other EMA servers like hey this domain has SPF in dikim in place so every email that you receive from that domain you have to check against SPF in diim there are three types of policies in Demar such as so that's what you can start for testing if everything works but then you probably should switch later to quarantine or reject because only then other email servers will actually block emails coming from you that fail against the SPF or dig him check so make sure you test this properly before but otherwise SPF in diim might not be very effective when you don't have a DeMark policy correctly set up the dmar policy is very very easy to configure in Easy DeMark just just as the name suggests because once you added a domain to easy dmar you already configured a dmar policy however the default setting is always set To None otherwise other email servers might reject your emails if you don't have the SPF and diim keys correctly configured the way how you do this is very simple just go to manage DeMark then you can select your domain and it shows you the Demar policy enforcement and then you can easily just decide if you want to use quarantine or reject so I would probably just select reject which is the best to protect against spam and then apply the changes one thing though I have to address at this point here so even if you have successfully completed all the setup process of SPF dikim and DeMark you have done the email investigation check and you immediately want to switch the policy from non to reject or quarantine I would strongly advise against that especially if you have configured multiple sending sources then you should actually monitor incoming Demar reports for a while until you turn on this policy because if anything happens to your outbound sending sources maybe an IP address changes and therefore the SPF check fails or a diim key expires of course you need to be informed about this otherwise you never really know if the receiving ma server blocks your email because of an SPF or deame check failed so therefore it's really important to monitor the two types of reports here the aggregate reporting and the failure reporting both are by the way automatically configured when you're using the managed DeMark service in Easy DeMark so this is really nice usually those reports are XML documents that are sent to email addresses that you specify in the dmar record and then you need third party tools to analyze these reports and monitor them this is all done very easily in easy dmark so here you can see the aggregate reports for my seal creative domain so when I'm sending mails you can definitely see how many emails that I'm sending are compliant to SPF and Dame checks which ones are non-compliant and others that are threats or unknown so this is happening when somebody tries to send emails in your behalf but without sending it through your servers also the failure reports are very important other email servers might reject your emails because those checks were failing of course you need to be informed about this so definitely make sure you're watching those two reports the failure report and the aggregate report for a few days or a few weeks and if you've got 100% compliant emails for a while then you're good to finally turn on the Demar policy and switch from non to reject or quarantine and that's basically it congratulations you now have protected your outbound emails with a DeMark and SPF and dickham record everything should be green and correctly set up however if you paid attention there's also another technology recently added to this which is called beam so let's also quickly talk about that Bei stands for brand indicators for message identification and in my opinion this is honestly more like a nice to have feature it allows organizations to display their brand logos in the email inbox of recipients who support Bei so you might say well showing a logo isn't really blocking spam however it can still enhance security and brand recognition as well because an Incoming Email can be quickly identified as legitimate by just paying attention to a logo and sure we all know end users don't care about tech but they might become suspicious when there is no logo in the emails inbox when for all the other emails before it was there so it's more like a nice add on to SPF Di and dmark but if you're already in the game of setting everything up correctly as a good CIS admin you can set this up to right and the way you do it is you just go to manag solution go to manage beim and then again you need to activate this by using a DNS record of course so let's copy the host value and add a new cname record copy the value make sure this is not proxied of course and click on save so let's very ify it again it might take a few minutes and then you can easily upload your vmc certificate or your SVG logo file for be so let me just demonstrate this to you on a domain that I've already verified and where I can send emails from as you can see this is now active and here is my logo file that I've already uploaded so one thing that is very important to mention the BM logo has to follow some specific format so it has to be an SVG logo with vector graphics you can't just upload any image unfortunately and when you go to the homepage of the be group there they have published all the specifications that this logo has to be compliant with but if you follow them if you upload it correctly you should see in some email clients that support the be logo any email that comes from your domain should have this logo for example let me just send an email to my Gmail account uh be me testmail so here is the email and as you can see this this will show a logo here so every email that comes from my domain will get this logo displayed in Gmail unfortunately Bei is not widely adopted so as you can see there are some providers that already support Bei I don't know why they need to show this up here that Microsoft is the only one who does not support it I don't know but yeah as you can see adoption isn't always very fast we will see when when it gets adopted by Microsoft okay so I hope this helped you to understand all these outbound email security Technologies a bit better and if you're interested in learning more about it make sure to check out my channel give this one a like And subscribe that would be really cool and a big Thanks goes out to easy DeMark for supporting this video if you're interested in their systems and services again just head over to their homepage you will find the link in the description of the video just reach out to them if you want to use that in your company and thanks everybody for watching I will catch you in the next one take care bye-bye

Info

Channel: Christian Lempa

Views: 20,246

Rating: undefined out of 5

Keywords:

Id: Yg3QL8To6uQ

Channel Id: undefined

Length: 25min 59sec (1559 seconds)

Published: Tue Feb 13 2024