Click the comments link on any story to see comments or add your own.
Subscribe to this blog
05 Sep 2016
A friend (really) asked for advice about what to say about mail authorization to people setting up new mail systems, particularly in parts of the world where networks are relatively new and staff less experienced.
The first question is are you a phish target? There's two parts to this question.
One is whether you (the mail system operator) manage all of the systems through which your users send mail. More often than you might think, the answer is no if your users use a webmail account like Gmail to pick up their mail and respond to it, or they send mail to e-mail discussion lists. The other question is whether bad guys can make significant money by impersonating your users. If you're a bank, the answer is probably yes. If you're some other kind of business or a school or a public mail provider, the answer is no. (We're skipping over spear phishing here, since this is a cheat sheet.) If the answer to both questions is yes, congratulations, you're a phish target. If the answer to the first question is no or you're not sure, see the discussion about DMARC statistics.
SPF lets you tell the world from what IP addresses you expect your mail to be sent. Everyone should publish SPF records, because it's really easy and requires no changes to your mail software, just a few new DNS records. If you are not a phish target, your SPF should not contain "-all".
Signing with DKIM
DKIM lets you add digital signatures to your mail, which say that you take responsibility for the mail. (That's not the same as saying it's from you, since you can and should often sign mail that you're forwarding along.)
DKIM is somewhat more work than SPF. You have to configure your mail server to add the signatures, and you have to publish matching verification keys in the DNS. These days, every mail server either has DKIM signatures included or as a plug-in. It requires some skill to create the signing keys, configure them properly, and change the keys once or twice a year, but that's a skill that every mail manager should learn. Hence everone should sign their mail, too, although it may take longer to get there than it does with SPF.
DMARC has two separate pieces. One part asks people to send you statistics about mail that appears to be from you (that is, has your domain on the From: line.) This doesn't affect how your mail is delivered or filtered, but can tell you some interesting things such as whether you have a department sending mail through a server they never told you about. The reports are blobs of XML coded data that are not easy for people to read, but I give away some scripts that you can run on your mail server to put the interesting parts in a database so you can look at them later. This requires that you run a database like MySQL for the data, but again, that's a skill that system managers should have. Alternatively, a company called Dmarcian will do the report collection and analysis for a fee.
If you were wondering above about whether you control all your users' outgoing mail, the DMARC statistics will let you find the answer.
The other piece of DMARC lets you claim that all of your mail is authenticated with SPF or DKIM. You can advise recipients that anything unauthenticated should go into the spam folder, or be rejected. If you are not a phish target do not do this because it will lose legitimate mail (SPF fails on any mail that is forwarded on the way to the recipient, for example), and will provide no benefit to you. If you are a phish target, you're sure you know where your users send mail from, and you're prepared to have some of your users' real mail disappear into the void, only then might you consider it.
All of the usual spam filters such as spamassassin already look at SPF and DKIM on incoming mail, so you're probably using them already to filter your incoming mail. When you start publishing SPF and DKIM, other people's spam filters will use them automatically.
So in short:
comments... (Jump to the end to add your own comment)
Add your comment...
Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.
My other sites
© 2005-2014 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.