Dualog Business Mail - Mitigation on Email Spoofing

INTRODUCTION

The purpose of this article is to provide general information on the anti-spoofing technologies SPF, DKIM, and DMARC. 

If you wish to enable SPF, DKIM, and DMARC for your vessels' domain(s) through Dualog, please refer to the following:

GENERAL INFORMATION

Email spoofing is a technique that can be used by a malicious entity to impersonate the sender of an email, thereby allowing the malicious entity to send emails that can be indistinguishable from emails sent by the “real” account owner.

To deal with this issue, the following methods have been created that can, when implemented in tandem, prevent or mitigate email spoofing from your vessels' domain(s).

We strongly recommend configuring all these methods in tandem, as not configuring them together can lead to unintended behavior, can cause outgoing emails from your domain to be falsely identified as spoofed emails, and will mean that your domain can be used for email spoofing.

SPF

SPF allows the owner of a domain to specify which IP addresses can send emails on behalf of the domain.
With SPF, when an email is received, the recipient mail server will check the SPF record for the indicated domain:

-if there is a valid SPF record for the domain, that includes the origin IP address for the email in question, then the SPF check will be passed.
-otherwise, the SPF check will fail, and the email may be rejected or marked as spam.

SPF is subject to certain limitations. In particular, as SPF uses the MFrom/Return-Path field, rather than the regular From field, it is possible to circumvent the protection provided by only modifying the From field, which is what is generally displayed to the recipient. In addition, SPF configured alone, can cause issues with certain forwarded emails.

Configuration

SPF records are configured and stored as DNS TXT records.

Some examples of SPF records are:

v=spf1 ip4:192.168.12.0/24 ~all
v=spf1 ip4:192.168.0.5 ip4:192.168.0.105 include:mydomain.com -all
v=spf1 mx include:_spf.dualog.com -all

For an in-depth explanation for what the various SPF fields mean, we advise looking at the following resource: https://dmarcian.com/spf-syntax-table/

If you are uncertain what SPF records you should implement for your requirements, please reach out to us at support@dualog.com.

DKIM

DKIM works using cryptography - a public key is added to the DNS record for the sending email server, while a corresponding private key is used to sign outgoing messages.

In this manner, DKIM can assist in not only authenticating the sender’s identity but also that the message itself has not been altered in transit.

With DKIM, when an email is received, the recipient mail server will check the DKIM public key for the indicated domain:

-if there is a valid DKIM public key for the domain, that corresponds to the private key used to sign the email in question, then the DKIM check will be passed.
-otherwise, the DKIM check will fail, and the email may be rejected or marked as spam.

Configuration

To configure DKIM on outgoing emails, please add the following CNAME record to your DNS server, replacing [domain.com] and [domain-com] as appropriate:

dualog1._domainkey.[domain.com] > s1-[domain-com].dualogmail.com
dualog2._domainkey.[domain.com] > s2-[domain-com].dualogmail.com

Both lines are required, as this allows Dualog to perform key rotation.

Do note, that the > may not feature in your domain management solution; the CNAME records need to point from dualog1._domainkey.[domain.com] to s1-[domain-com].dualogmail.com and from dualog2._domainkey.[domain.com] to s2-[domain-com].dualogmail.com

DMARC

DMARC works with and extends upon SPF and DKIM. This means, if you want to implement DMARC, you need to have configured SPF and DKIM.

With DMARC, when an email is received, the recipient mail server will check the DMARC record for the indicated domain. It will then perform the following functions:

-perform an SPF check; while ensuring the MFrom/Return-Path field matches the regular From field
-perform a DKIM check
-DMARC incorporates a policy for what occurs if one or more of the above checks fail. Policy options include: none (message delivered as normal, only report), quarantine (mark the message as spam, or place in the junk folder), and reject (message will not go to the recipient)
-DMARC can also provide reporting – which is useful to see if a domain is sending a lot of spoofing traffic to your domain or to identify legitimate emails sent from domains that have not implemented SPF/DKIM, which were thereby identified as potential spoofed emails.

Configuration

DMARC records are configured and stored as DNS TXT records.

An example of a DMARC record is:

v=DMARC1; p=quarantine; rua=mailto:[email]

The TXT record should be named: _dmarc.[domain.com] - replacing [domain.com] as appropriate.

The key fields are:
p - this indicates the policy - none, quarantine, reject
rua - this indicates where the aggregated reports are sent

 

For further assistance or clarifications, please reach out to Dualog Support.

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.