I know that back in the days of POP3 and unencrypted email you could write anything in From: and one would have to cross-check with the other headers to see if the message at least went through the domain in the address.
I believe nowadays big servers like gmail are stricter in the email they accept (to the point of rejecting valid emails, which is super annoying, I know), but is there a standard in check that foo@bar.com comes from bar.com?
@kinnison@hisham_hm There's also #DMARC which instructs servers how to interpret the SPF and DKIM rules. The important part here is called "alignment", where the domain in the "From:" header must match that of the MAIL FROM line and the signer of the DKIM signature. Otherwise SPF/DKIM wouldn't protect against spoofers authenticating themselves. It's noteworthy that Microsoft does not refuse mails as instructed.
Inwiefern ist DMARC und insbesondere sind dessen Report-Formate aggregate und forensic mit den Anforderungen der DSGVO vereinbar? Katharina Küchler (Anwältin, eco Verband) und ich (E-Mail Experte, Leiter Kompetenzgruppe E-Mail eco) sind dieser Frage im vollständig überarbeiteten Rechtsgutachten des #eco Verbandes nachgegangen.
Si vous aimez analyser les en-têtes et le code source du courrier électronique, le message de Macron Travail prévenant que vos données ont été piratées est très intéressant.
Every so often, I need to chase down some aspect of email validation (#SPF, #DMKIM, #DMARC, ...). This involves a number of #DNS records and queries, but I may forget just which ones. So here's a quick #SMTP/DNS cheatsheet:
Hey @bitwarden! It's a tad worrisome when a security software company can't handle something as simple as ensuring that its #DMARC record points to valid email addresses. #infosec#cybersecurity#email
Fun and games with email today… Yahoo and Google have stepped up their filtering game, requiring stricter DKIM/DMARC.
That broke my workplace email addresses.
Consequently, I wound up reviving my old yahoo.com.au email address… fun and games remembering the password to an account I haven't used regularly in the better part of 25 years.
Thankfully, I must've logged in more recently, and changed the password… and crucially, stored it in the password manager. So it's working again.
My home mail server: delivers to the old Yahoo account, no problems at all.
SPFv1 for both work's domains are correct, how the hell does a hobby server admin like me get something right that professionals like Microsoft get wrong?
An alle, die mit E-Mail zu tun haben und die es amtlich richtig™ machen wollen: Das @bsi hat die Technische Richtlinie BSI TR-03182 „Email Authentication“ https://bsi.bund.de/dok/tr-03182-en veröffentlicht, welche beschreibt wie #spf, #dkim und #dmarc eingesetzt werden müssen, damit sie konform mit der TR sind und einen Audit für eine BSI-Zertifizierung bestehen können.
Weshalb ich das schreibe? Ihr lest den troet des stolzen Autors, der 1,5 Jahre mit dem BSI an der TR getüftelt hat.
I suspect that, with both Gmail and Yahoo recently tightening up on authenticated emails, some Zoho users may begin to notice their emails are being rejected and may no doubt blame Zoho for the problems!
if you get DMARC reports to you instead of some service, and you use something semi-automated to extract the .zip or .xml.gz and shove it into something more readable to a human, please hit me up and/or just reply with links.
I only want replies with things that are (a) F/LOSS, and (b) things you have actually personally used. It's fine if you know of something you haven't used, but instead of tagging me, boost this or send this to a person you know who uses that thing.
I'm also uninterested in replies that say "here's this software as a service that we use" because I'm aware of several of those and they're on the table for my chunk of the org. Right now I'm looking to evaluate things we can manage locally. Thanks!
The DMARC record is used to authenticate mail to ensure that the message is not fraudulent. But did you know that you can also set a DMARC record for the default onmicrosoft.com domain?
The onmicrosoft.com (also called MOERA) domain can be spoofed as well, so it is recommended to set DMARC record for the domain as well. More in my today's blog post 👇
Sooo. #DMARC reports. Anyone doing anything useful with them? We have tons of legitimate mails with failing SPF/DKIM checks due to $reasons so filtering out the noise is going to be a big pain. Wondering if it’s worth it and there is usable OSS tooling for that - first look was quite underwhelming. :BoostOK:
After this week's Spring Break, we return in my #SysAdmin class to dive into #SMTP.
We start with an overview of the ecosystem consisting of MUAs, MTAs, MDAs, Access Agents, and tcpdump a simple manual SMTP session over telnet. We then talk about STARTTLS, MTA-STS and #DANE, before diving into #spam defenses, including #SPF, #DKIM, and #DMARC, all with practical examples, tracking lookups and traffic on the sender and receiver.
Heh, request smuggling is no longer just for HTTP. Circumvent #SPF, #DMARC, #DKIM by smuggling #SMTP commands (and thus spoof mail), because some MTAs don't strictly require \r\n.\r\n :
In the wake of Google’s announcement of new rules for bulk senders, Microsoft is urging Microsoft 365 email senders to implement SPF, DKIM and DMARC email authentication methods.
I've successfully set up Mox by Mechiel Lukkien as my new mail server. It handles SMTP, IMAP, SPF, DKIM, and DMARC. It has a built-in spam filter, a web interface, webmail, autoconfiguration and it can show a checklist whether your DNS is set up correctly or not. All in a single binary! Pretty cool stuff. I'm planning to test various other solutions and document it on my blog soon.
It kinda surprises me that the DMARC RFC didn't declare a simple HTTP based transport for reports, and instead they're all transported via email attachments.
I receive DMARC reports on a bunch of my domains but don't have any way to do anything with them (I know there are paid services, but really?)