E-mail Security

1. Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is used to authenticate the sender of an email. With an SPF record in place, Internet Service Providers can verify that a mail server is authorized to send email for a specific domain. An SPF record is a DNS TXT record containing a list of the IP addresses that are allowed to send email on behalf of your domain.

1.1. Add SPF record

To add an SPF record, you will need access to the DNS control panel for your domain.

You will also need to identify everything that sends email from your domain(s), including sources (third-parties) that send emails on behalf of your domain. This includes:

• Mail Servers (both web-based like Gmail or via your ISP and in-office like Microsoft Exchange)

• ESPs (Email Service Providers – companies that provide email marketing/bulk email services)

• Miscellaneous services (e.g., support/ticketing systems, payment providers, e-merchant services, etc.)

1.2. SPF format

v=spf1 ip4:127.0.0.1 include:_spf.google.com <policy>

Term	Description
v=spf1	Indicates that is an SPF record. Other SPF versions have been discontinued.
ip4:127.0.0.1	All IP addresses that are authorized to send email on behalf of your domain.
include:_spf.google.com	All domains that can send mails (useful for third-party organizations).
policy	What policy and how strictly it should be applied when a receiving server detects a server which is not listed (authorized) in your SPF record. policy can be: -all (Fail) non-authorized emails will be rejected ~all (Softfail) non-authorized emails will be accepted but marked +all Allows any server to send email from your domain (not recommended)

2. DomainKeys Identified Mail (DKIM)

DKIM ( DomainKeys Identified Mail ) is used for the authentication of an email that’s being sent.

Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.

2.1. DKIM DNS record

<selector(s=)._domainkey.domain(d=)>.   TXT v=DKIM1; p=<public key>

Field	Description
s	Selector record name used with the domain to locate the public key in DNS. The value is a name or number created by the sender. s= is included in the DKIM signature.
d	Domain used with the selector record (s=) to locate the public key. The value is a domain name owned by the sender. d= is included in the DKIM signature.
p	indicates the public key used by a mailbox provider to match to the DKIM signature.

Example for example.com:

dk1024-2012._domainkey.example.com. 600 IN TXT "v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV;"  

• The selector (s=): dk1024-2012

• The domain (d=): example.com

• The version (v=): DKIM1

• The public key (p=): MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV

For example:

2.1.1. Required tag

Tag	Description
p=	Public key used by a mailbox provider to match to the DKIM signature generated using the private key. The value is a string of characters representing the public key. It is generated along with its corresponding private key during the DKIM set-up process.

2.1.2. Recommended optional tags

Tag	Description
v=	Version of the DKIM record. The value must be DKIM1 and be the first tag in the DNS record.
t=	Domain is testing DKIM or is enforcing a domain match in the signature header between the "i=" and "d=" tags.
t=y	Domain is testing DKIM.​ Senders use this tag when first setting up DKIM to ensure the DKIM signature is verifying correctly. Some mailbox providers ignore a DKIM signature in test mode, so this tag should be removed prior to full deployment or changed to t=s if using the "i=" tag in the DKIM signature header.
t=s	Any DKIM signature header using the "i=" tag must have the same domain value on the right-hand side of the @ sign in the "i=" tag and the "d=" tag (i= local-part@domain.com). The "i=" tag domain must not be a subdomain of the "d=" tag. Do not include this tag if the use of a subdomain is required.

2.1.3. Optional tags

Tag	Description
g=	Granularity of the public key. The value must match the local-part of the i= flag in the DKIM signature field (i= local-part@domain.com) or contain a wildcard asterisk (*). The use of this flag is intended to constrain which signing address can use the selector record.
h=	Which hash algorithms are acceptable. The default value is to allow for all algorithms but you can specify sha1 and sha256. Signers and verifiers must support sha256. Verifiers must also support sha1.
k=	Key type. The default value is rsa which must be supported by both signers and verifiers.
n=	Note field intended for administrators, not end users. The default value is empty and may contain a note that an administrator may want to read.
s=	Service type to which this record applies. The default value is a wildcard asterisk (*) which matches all service types. The other acceptable value allowed is the word "email" which indicates that the message is an electronic mail message. This tag is not the same as a selector record. It is intended to constrain the use of keys if DKIM is used for other purposes other than email in the future. If used, it is included in the DKIM DNS TXT record and not the DKIM signature. Should other service types be defined in the future, verifiers will ignore the DKIM record if it does not match the type of message sent.

3. Domain-based Message Authentication Reporting, & Conformance (DMARC)

Domain-based Message Authentication Reporting, & Conformance (DMARC) is an open source standard and it uses a concept called alignment to tie the result of two other open source standards, SPF (a published list of servers that are authorized to send email on behalf of a domain) and DKIM (a tamper-evident domain seal associated with a piece of email), to the content of an email.

If not already deployed, putting a DMARC record into place for your domain will give you feedback that will allow you to troubleshoot your SPF and DKIM configurations if needed.

4. Secure/Multipurpose internet Mail Extensions (S/MIME)

Secure/Multipurpose internet Mail Extensions (S/MIME) is a widely accepted protocol for sending digitally signed and encrypted messages.

The protocol leverages two key components:

• digital signature;

• encryption.

Using Public Key Cryptography, S/MIME guarantees data integrity and nonrepudiation:

• If Bob wishes to use S/MIME, then he'll need a digital certificate. This digital certificate will contain his public key.

• With this digital certificate, Bob can "sign" the email message with his private key.

• Mary can then decrypt Bob's message with Bob's public key.

• Mary will do the same (send her certificate to Bob) when she replies to his email, and Bob complete the same process on his end.

• Both will now have each other's certificates for future correspondence.

5. Tools

• Identify SPF from a domain: Insert the domain to be checked in DMarcian

Twitter SPF

• DMARC domain checker Insert the domain in DMarcian