Categories
Uncategorized

Gmail embraces BIMI to authenticate emails with verified logos

Image Source: Google Cloud Blog

Google, in their recent security blog has confirmed that they are all set to take their email security to next level by rolling out Gmail’s general support of BIMI, an industry standard that aims to drive adoption of strong sender authentication for the entire email ecosystem.

Almost an year after they first announcing the adoption Brand Indicators for Message Identification (BIMI) pilot , this roll out is going to be next big step in email security. BIMI provides email recipients and email security systems increased confidence in the source of emails, and enables senders to provide their audience with a more immersive experience by displaying the Brand logos as an icon next to email senders’ names, on every email they send.

GIF Source: Google Cloud Blog

BIMI facilitates advantages to the entire email ecosystem. By requiring strong authentication, both users and email security systems can improve trust in the source of emails, and senders will be able to boost their brand trust and provide an enhanced immersive experience to their customers.

GIF Source: Google Cloud Blog

With Google announcing their BIMI support, the community has got even bigger with other industry leading mail service providers like Yahoo(Verizon Media), Fastmail and now Google.

According to the standard to adopt BIMI for a mail domain, it must first be secured by DMARC in Quarantine/Reject policy.  This would ensure the logo are not being displayed on any unauthenticated email.

How does DMARC help?

To explain in short, DMARC – developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email, and additionally has a mechanism that sends the domain owner a report whenever an email fails DMARC validation. This means the domain owner is notified whenever an email sent by an unauthorized third party.

Every new invention brings its new challenges. Every new challenge pushes us to find a new way to overcome it. DMARC has been around for some years now, still phishing has existed for much longer. As new organizations are born each day, email security is important and plays a vital role in every organization and there should be necessary actions taken to make sure there is no security breach. It becomes the responsibility of every business to protect themselves, their clientsb and employeesb sensitive personal information.

At ProDMARC, we’re here to help you meet this new challenge with ease.! ProDMARC as a product built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated.

Summarizing, ProDMARC helps improve customer and third party trust in email communications.

Considering the economy being in slump, ProDMARC announces a limited-time offer during the ongoing pandemic – 15 days of DMARC health assessment report, completely free for all organizations who wish to gain visibility of the mail based phishing threats which are at an all-time high.

Sign up for your 15 day ProDMARC trial by writing to us on info@progist.net.

Click to check your BIMI Status, DMARC Record, SPF Record, DKIM Record

Categories
Uncategorized

Why Are My Emails Going To Spam, And How To Fix It?

Are you frustrated with your emails going to spam? If the answer is yes, then you must check out this article. Here you will explore six ways that can help you to fix the problem. So, keep reading.  

If email is the main communication channel for your business, then email going to spam can make you yell at your computer. We can understand how irritating it can be to send an email, and not have the recipient open it since accessing the spam box is not a daily habit. 

Before exploring the solution to this issue, we need to identify the problems.

Why are my emails going to spam?

According to Statista, half of all emails are spam. Email is a robust platform for communication for every person. And email spam is a serious concern that we face today. Email spam is rising as a severe problem on the internet today. Almost every email service provider has implemented some controls to solve the problem of Spam.

The email filters are designed so that users don’t have to remove the spam message manually. There can be many reasons behind your email going to spam. Here is the reason behind spam issues-

1. You haven’t set up proper authentications 

One of the biggest reasons behind email going to spam is failure to comply with email sender authentication standards. There are three major email sender authentication standards namely DMARC, DKIM, and SPF. To ensure the mails are appropriately delivered in Inbox, you should ensure the email comply with the authentication standards. 

2. Your IP address was used for sending spam emails

These issues are mostly seen among businesses. If you have taken your IP address from an internet service provider, then the possibility of your IP address being used for sending spam by older users in the past may be quite high. 

3. Subject lines that can be misleading to recipients

Email providers like Gmail use spam channels to attempt to keep spam out of inboxes. One technique is to filter the email by its subject line. Assuming the spam channel sees too many spammy words, your email may be singled out as spam and get sent to the spam or junk folder.

Some of the examples of spam words are-

  • Free Gifts 
  • Click here
  • As seen on 
  • Dear friends 
  • Information you requested 
  • Save Big 
  • Cash

4. The number of inactive email addresses on your list is too many

Over the long run, a portion of the email addresses on your database may get latent. Notwithstanding, if this happens, your email list can be loaded with inert clients. In that case, your email will remain unopened in large numbers, which can cause email channels to label it as spam.

How Can You Fix Your Email Spam Problem?

Now that you know about the reason that is causing the problem let us look at how you can solve the problem. 

1. Set up proper authentications 

Recently, spam channels are putting more weight on sender notoriety instead of simply the substance of your messages. The content of your email matters; however, somebody with an authentic email address could pull off some spam-contiguous content that a sender with an inauthentic email domain standing can’t. The ideal approach to improve your credibility is to ensure you’re appropriately checking your messages with authentication tests like DKIM and SPF. In terms of authentication, applying these DMARC checks is the best way to securely validate your emails.

If you’re utilizing free email providers like Gmail, you don’t have to stress over this. This possibly applies if you’re using a custom email address. You can set up these validation tests by adding TXT records in your organization’s DNS server for the executives. You can get the DMARC record that you need from your email provider. 

2. Follow email configuration/same accepted procedures when sending messages

Once you have completed DMARC implementation, you are one step closer to avoiding the spam folder. You should also follow the following points:

  • Don’t use any abusive/obscene images 
  • Try to ignore spam copy
  • Avoid unnecessary attachments 

Final Thoughts 

We’ve already established that there can be various reasons for email spam issues. The best solution to this problem is proper authentication. If you are opting for DMARC authentication, you should follow its DMARC policy.  If you fail to complete valid authentications, you will stand as a malicious sender in front of the email spam filter. 
ProGIST believes in protecting both you and your clients’ email rights and privacy. ProDMARC helps you implement email authentication with DMARC to stop fraudsters from misusing your domain. Get Started with top-class cybersecurity solutions for your business at ProGIST.

Categories
Uncategorized

How to setup DMARC in 3 easy steps

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a method of ensuring the authenticity of an email sent from a specific domain.

Regrettably, this critical email security feature is not enabled by default for every domain, web host, or email server. Organizations and email administrators must establish and set up policies for DMARC.

We’ll go over how to set up a simple DMARC configuration on your own domain in this blog. The process includes 3 simple steps to optimally configure your email server to send signed emails.

Step 1. Generate a DMARC record

A DMARC record is a short snippet of code that is published to the DNS to tell the mailbox service provider how to handle an incoming email that fails authentication, based on the results of the SPF and DKIM checks.

DMARC records are text (TXT) resource records (RR) that are published in the DNS and tell an email receiver what to do with non-aligned emails it receives.

Consider an example DMARC record for the domain “sender.exampledomain.com” that reads: v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@exampledomain.com

Log in to the DMARC dashboard to create a DMARC record for your secured company domain. Then navigate to DNS Records -> Publish DMARC Record and copy the excerpt displayed in orange on the page. 

For the test domain DMARC site, here’s a sample DMARC entry:

v=DMARC1; p=quarantine; rua=mailto:reports@dmarc.site; ruf=mailto:reports@dmarc.site; adkim=r; aspf=r; rf=afrf

  • For email whose breaches policies should be handled, the “p” option provides three options: none, quarantine, or reject.
  • The adkim and aspf parameters specify how stringent the DKIM and SPF policies should be implemented, with ‘s’ denoting strict and ‘r’ denoting relaxed.
  • The RUA provides an address for aggregate data reports, while the RUF provides an address for forensic reports

Step 2. Publish the DMARC record to DNS

Now that you have the DMARC record, publish it to the DNS so that email service providers can use it to run DMARC checks.

To do so, go to your DNS management interface and choose the domain for which you want to publish the DMARC record, such as mydomain.com.

Create a TXT entry with the following settings on mydomain.com:

Type: TXT

Host: _dmarc

TXT Value: (DMARC record generated above)

TTL: 1 hour

For instance, here is how it appears in GoDaddy’s DNS administration console:

It can take up to an hour for the DMARC record to become accessible after it has been published (usually much faster). You can then use the DMARC Checker tool to double-check if it was correctly published.

Step 3. Analyze aggregate reports

Every day, many email service providers send out aggregate reports. This means you might get aggregate reports the day the DMARC record is published.

However, your first aggregate reports could take up to 72 hours to come. Once you get the information, you must utilize it to correct your email streams.

Conclusion

Large enterprises have been able to reduce phishing-based brand impersonations to near nil utilizing automated DMARC implementation tools like ProDMARC
This not only protects the brand’s reputation and the effectiveness of revenue-generating email campaigns, but it also protects employees, customers, partners, and the general public from expensive email frauds. Get in touch with us to discover our email authentication solutions.

Categories
Uncategorized

What is DMARC evaluation?

DMARC (Domain-based Message Authentication Reporting and Conformance) is an email validation system that prevents your company’s email domain from being exploited for email spoofing, phishing scams, and other forms of cybercrime. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are two current email authentication systems that DMARC uses.

When a domain owner adds a DMARC record to their DNS record, they will be able to see who is sending email on their behalf. This data can be utilized to obtain more specific information about the email channel. A domain owner can get control over emails sent on his behalf using this information. DMARC can be used to defend your domains from phishing and spoofing attacks.

What is a DMARC record?

A DMARC record is stored in the DNS database of a company. A DMARC record is a properly structured DNS TXT record with a specific name, such as “_dmarc.mydomain.com” (note the leading underscore). The following is an example of a DMARC record:

dmarc.mydomain.com. IN TXT “v=DMARC1\; p=none\; rua=mailto:dmarc-aggregate@mydomain.com\; ruf=mailto:dmarc-afrf@mydomain.com\; pct=100”

Reading left-to-right in plain English, this record says:

v=DMARC1 specifies the DMARC version

p=none specifies the preferred treatment, or DMARC policy

rua=mailto:dmarc-aggregate@mydomain.com is the mailbox to which aggregate reports should be sent

ruf=mailto:dmarc-afrf@mydomain.com is the mailbox to which forensic reports should be sent

pct=100 is the percentage of mail to which the domain owner would like to have its policy applied

DMARC record check

A genuine DMARC record must be published before DMARC implementation. We offer a free tool called DMARC Record Check that displays the DMARC record, tests it, and verifies that it is genuine. The DMARC Record Check tool is both free and simple to use. To do a DMARC check, simply input the domain name.

After that, the DMARC Record Check parses the DMARC record and displays it along with other information.

To test and lookup the DMARC record, use the DMARC Record Check. Then assess each potential alternative as well as the ones that have been implemented. If there are any external domains in use, DMARC Record Check will verify and test them.

Results of a DMARC Check

A DMARC test performed with DMARC Record Check will test and declare the following tags.

v-Version of the DMARC protocol. 

p-This policy should be used for emails that fail the DMARC check. It might be “none,” “quarantine,” or “reject.” To gather the DMARC report and acquire insight into the current email flows and their state, the value “none” is utilized.

rua- A list of URIs for ISPs to send XML feedback to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form “mailto:test@example.com”.

ruf- ISPs can transmit forensic information to a list of URIs. Please note that this is not an email address list. A list of URIs in the format “mailto:test@example.org” is required by DMARC.

rf- Forensic reports are written in this format. This might be “afrf” or “iodef.”

pct- The percentage tag tells ISPs that the DMARC policy should only be applied to a certain percentage of failed emails. “pct=50” instructs receivers to use the “p=” policy only 50% of the time when dealing with emails that fail the DMARC check. NOTE: This will only work with the “quarantine” or “reject” policies, not the “none” policy.

adkim- The “Alignment Mode” for DKIM signatures can be “r” (Relaxed) or “s” (Strict) (Strict). Authenticated DKIM signature domains (d=) that share an Organizational Domain with an email’s “From” domain will pass the DMARC check in Relaxed mode. Strict mode necessitates a precise match.

aspf- SPF’s “Alignment Mode,” which can be either “r” (Relaxed) or “s” (Strict) (Strict). The DMARC check will pass in Relaxed mode for authenticated SPF domains that share an Organizational Domain with the email ‘From’ domain. A precise match is necessary in Strict mode.

sp- If a sub-domain of this domain fails the DMARC check, this policy should be enforced. Using this tag domain owners can publish a “wildcard” policy for all subdomains.

fo- Options for forensics. Allowable values: “0” to generate reports if both DKIM and SPF fail, “1” to generate reports if either DKIM or SPF fails to deliver a DMARC pass result, “d” to generate reports if DKIM failed, and “s” to generate reports if SPF failed.

ri- When the aggregate XML reports are sent, this is the reporting interval. This is a personal preference, and ISPs may (and very certainly will) transmit the report at different times (normally this will be daily).

What does DMARC compliance mean?

An organization can pass the DMARC check and become DMARC compliant by authenticating email channels with DKIM and/or SPF. DKIM and/or SPF must be aligned to become DMARC compliant. Only DKIM or SPF must be configured to be DMARC compliant.

User-friendly DMARC analyzing software 

ProDMARC is a user-friendly DMARC analyzing software that acts as your professional guide to help you move as quickly as possible to a reject policy. ProDMARC is a SaaS product that enables organizations to manage complex DMARC deployments with ease. Across all email channels, the system provides 360-degree visibility and governance.

Categories
Uncategorized

How to Publish a DMARC Record

A DMARC record is part of your Domain Name System (DNS) record, which is responsible for routing Internet traffic. Additional information, such as your domain’s DMARC record—a text entry within the DNS record that informs the world about your email domain’s policy based on the specified SPF and DKIM protocols—can be included in the DNS.

Set up a DMARC record for each domain you want to monitor before you can start generating and visualizing DMARC data. You can use our DMARC generator if you need help setting up your DMARC record.

Prerequisites Before creating DMARC record

Before creating DMARC records it’s a good idea to test DKIM and SPF. 

  • Creating an SPF record
  • Creating a DKIM record

Create the record

DMARC is a system which allows email recipients to make better decisions depending on the reputation of the sender domain. It provides a platform for the sending side to publish policies to improve spam and phishing efficacy, essentially developing domain reputations. This aids in the provision of recommendations for dealing with messages that do not conform to the policies provided by the sender domain.

DMARC is aimed at:

  • Reducing false negatives
  • Providing authentication reports
  • Applying sender policies at the receiving end
  • Reducing phishing
  • Being scalable

An SPF and DKIM record must be published on the transmitting domain before DMARC may be used. You can configure DMARC by adding policies to your domain’s TXT records once the SPF and DKIM records are in place (the same way in which you published your SPF and DKIM records). Your TXT record name should read something similar to “_dmarc.your_domain.com.” Please replace the “your_domain.com” with your own domain.

Since DMARC policies are published as TXT records, they specify what an email recipient should do when it receives non-aligned messages.

When establishing a TXT record, the name of a DMARC record is “_dmarc,” which generates a TXT record like _dmarc.mydomain.com or _dmarc.mydomain.net.

Example:

“v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com” 

In this scenario, the sender defines the policy as such that the receiver outright rejects all non-aligned messages and sends a report about the rejections to a specific email address. If the sender were to use the “quarantine” setting in the policy, it would look like:

“v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@dmarcdomain.com”

and would request the action to quarantine on the receiving end of the message. In the next example, if a message claims to be from your domain.com and fails DMARC, no action is taken. Instead, these messages will then show up in your daily aggregate report sent to

“v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com”

Here is a sample where the message fails DMARC, then quarantines it 5% of the time.

“v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com”

In this sample, the policy is set to reject the message 100% of the time and send the daily report to the specified address of dmarc@your_domain.com.

“v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com, mailto:dmarc@your_domain.com”

DMARC Implementation

Since the DMARC configuration recognizes that scaling out the deployment all at once can be difficult for certain organisations, there are some built-in methods for “throttling” the DMARC processing so that complete deployment can be achieved in stages over time.

The first step is to keep an eye on your traffic and reports. Assess the vulnerabilities (where messages are sent without being digitally signed or from invalid source IP addresses) and use SPF and DKIM records to address them.

As you become more comfortable with the findings from your regular aggregate reports, you will adjust the action on your policies to start quarantining. You can do this by using DMARC to change your TXT record to use the “quarantine” action. Monitor your daily reports.

Once you’ve been tracking your traffic and regular reports for a while and are certain that the sources seen sending traffic on behalf of your domain are all digitally signed, you can proceed to the next phase, which is modifying the policy to use the “reject” tag to completely deploy DMARC. Monitoring the files and spamfeed is an important component of maintenance.

It is also worth noting that the pct tag, which is optional, can be used to sample your DMARC implementation in increments. Since 100% is the norm, setting “pct=20” in your DMARC TXT record causes one-fifth of all messages affected by the policy to receive the disposition rather than all of them. When you want to quarantine and reject mail, this setting is particularly useful. Start with a lower percent to begin with and increase it every few days.

A conservative deployment cycle would resemble:

  1. Monitor all.
  2. Quarantine 1%.
  3. Quarantine 5%.
  4. Quarantine 10%.
  5. Quarantine 25%.
  6. Quarantine 50%.
  7. Quarantine all.
  8. Reject 1%.
  9. Reject 5%.
  10. Reject 10%.
  11. Reject 25%.
  12. Reject 50%.
  13. Reject all.

Delete the percentages from your policies when you are about to finish the DMARC deployment so that the full action of “quarantine” and “reject” is now working at 100%. 

Conclusion

After you have published DMARC records, DMARC data will start to be created in the form of reports within a day or two, giving you insights into how your domains handle email. These reports are based on XML and might be difficult to read and comprehend for humans.

If you receive a lot of reports, you will quickly realize that manually posting them every day is not feasible. ProDMARC specializes in processing these reports and determining the measures that must be taken in order for DMARC to be distributed more simply throughout an organization. If you have not started your DMARC project yet, we encourage you to get in touch with our experts at ProDMARC for better guidance.
ProDMARC helps you implement email authentication with DMARC to stop fraudsters from misusing your domain. Get Started with top-class cybersecurity solutions for your business at ProgIST.

Categories
Uncategorized

SPF, DKIM and DMARC: Are they mere acronyms or Useful Email Security?

Since the early days of the internet, spam has been a persistent and chronic problem. Gary Thuerk of Digital Equipment Corp (DEC) sent the first unsolicited mass e-mailing (later dubbed SPAM) on May 1, 1978, advertising the VAX T-series to 400 of the then 2600 ARPAnet users.

The SMTP email protocol, which we still use today, evolved from these early ARPANET mail protocols (Postel RFC788 and RFC821) in the early 1980s, and has changed very little since then. The SMTP protocol has had little to no security built in since its introduction, and when used to send email, it offers little defense against spoofing of email addresses or servers. However, several new tools have recently been added to the email security arsenal to protect against these threats.

SPF, DKIM, and DMARC are all similar features for detecting spoofed or spam emails, but they vary slightly.

SPF (RFC 7208)

SPF (Sender Policy Framework) specifies a list of servers that are permitted to send email for a particular domain using a DNS entry. Its security is based on the fact that only authorized domain administrators have access to the DNS zone records for the domain.

DKIM  (RFC 6376)

DKIM (DomainKeys Identified Mail) differs from SPF in that it verifies that the receiving server is allowed to send mail for the domain and that the quality of the mail has not changed since it was sent. Using DKIM keys stored in DNS and DKIM uses a public/private key signing mechanism.

The following steps are applied to the email process with DKIM:

  • Sending servers create a signature with their DKIM private key and insert it into the email header (DKIM-Signature).
  • Email recipients look up the DKIM public key in the sending domain’s DNS TXT record, which is then used to verify the DKIM-Signature attached to the email.

If the email body content is modified, the email signature will no longer match and validation will fail.

This process verifies that the email content has not been tampered with, as well as that the email was sent from a domain-approved server.

DMARC  (RFC 7489)

DMARC (Domain-based Message Authentication, Reporting, and Conformance) incorporates elements of both SPF and DKIM by stating a simple DMARC policy that can be used in both tools, as well as allowing the domain administrator to set an address that can be used to submit information about forged mail message statistics gathered by receivers against the same domain, for example:

  • Relative levels of spoofing of your domain(s).
  • Who is spoofing email purporting to be from your domain?

Does that mean your spam problem is resolved?

In an ideal world, all email servers would use these techniques, and SPAM would be significantly reduced. However, since making a mistake in configuring the necessary DNS TXT records can result in the loss of important emails, some domain owners have been hesitant to implement the methods. 

Despite this, major email domain owners such as Google, Microsoft, and Yahoo have implemented these approaches.

SPAM can still be transmitted via compromised accounts and servers, shared hosting email servers, and misconfigured servers, so multilevel email protection is the only way to ensure a clean and safe email feed.

How effective are DMARC, SPF, and DKIM?

These tools will undoubtedly have a significant effect on the fight against SPAM, and the more domains that use them, the better. However, caution should be exercised during DMARC implementation to ensure that all settings are right before going live. SPF, for example, allows you to set the changes in a test mode, which means that recipient domains will not block any mail that fails the test.

Wrapping Up

ProgIST believes in protecting both your and your clients’ email rights and privacy. ProDMARC helps you implement DMARC authentication to stop fraudsters from misusing your domain. Get Started with top-class cybersecurity solutions for your business at ProgIST.

Categories
Uncategorized

How can you block email based impersonation and phishing attacks with DMARC?

It is a well-known fact that in most of the cyber-frauds, the cyber criminals impersonate trusted identities, mainly because the chances of the victim falling for such emails are high. These attacks are commonly called as email spoofing.

Let us look at some quick facts about email spoofing attacks:

  1. Over 70% of fraudulent emails are directly sent from a domain name of the victim organisation.
  2. According to a latest email security risk assessment, there is a surge in email spoofing attacks by over 22% as compared to previous quarter.

These attack types are highly sophisticated and it requires us to take a multi-layered approach to detect and stop such attacks

Types of Impersonation Attacks

The email spoofing attacks most commonly used for targeting the dependent parties of the organisation like their customers, partners and associates. The victims might be able to differentiate such emails from legitimate emails and might fall for such attacks

Another major attack exploiting identity theft is CEO/CFO frauds. Here the employees are tricked to make payments to fraudsters account or share confidential information of the organisation.

Why DMARC?

The only way to protect your dependent parties from falling for such attacks is to protect your mailing domain with Domain-based Message Authentication, Reporting & Conformance (DMARC) security control. It works by prohibiting anybody except expressly approved senders from using an organization’s domain (including internal and third-party mailing systems) to send an email. Additionally, DMARC reports also helps you to identify and appropriately configure all your legitimate email senders and also to visualize the threat targeting the organisation’s domain.

How does ProDMARC help you in DMARC journey?

ProDMARC is built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated. It helps in gaining visibility on your email domain getting used on your behalf by third parties. It’s important to gain visibility of unauthorized emails which might be getting sent from your brand; ensures that emails do not get blocked due to misconfigurations, making the best use of the customer email communication; generates actionable threat intelligence feeds for your security and transaction monitoring systems helping to block targeted attacks proactively and also helps in identification of lookalike domains for your brand.

To summarize, ProDMARC helps improve customer trust in email communications.

Get in touch with us or schedule your 15-day trial for the most advanced email security solutions.

Categories
Uncategorized

DKIM Records: How To Create and Add Them To Your DNS

What is a DKIM record?

DKIM is an open standard for email authentication that helps protect email senders and recipients from spam, spoofing, and phishing. It allows an organization to claim the responsibility for the message in a way that is validated by the receiver. It is an email security standard designed that makes sure the messages aren’t altered in transit between the sending and receiving servers.

It gives the emails the signature header that is added to the email and secured with a public/private key pair and a certificate. It can act as a watermark for email so that email receivers can verify that the email came from the domain it says it does and hasn’t been tampered with.

Every DKIM signature consists of all the information that is required for an email server to verify whether the signature is real and is encrypted with a pair of DKIM keys. The originating server contains the private key that can be verified by receiving mail or ISP with the other half of the key pair called the public key. The public key exists in the DKIM record in your domain’s DNS as a text file.  

 A DKIM selector is used to connect and decipher these encrypted signatures. The DKIM selector is a string used by the outgoing server to detect the private key to sign the email message and by the receiving server to detect the public key to verify whether the email message is from a trusted source or not. 

Every time a private or public key pair is generated, a tuple { selector, private key, public key } is created, where the selector is used to detect the private key and the public key.

How do I create a DKIM record for a domain?

  1. Create a list of all sending devices and domains

Firstly, you need to create a list of all the sending devices and domains (like marketing campaign platforms or invoice generators also referred to as ESPs) that are authorized to send emails on your behalf. 

  1. Generate public and private keys

You have to generate private and public key pairs using a dedicated tool. The private key stays at the server or service that sends the email and the public key is published by using a DNS text record.

  1. Configure the DNS server with the public key

Now you can create a DKIM TXT record by using the domain, selector, and public key. The record will have the name of the authorized domain attached with the selector prefix.

How to add the DKIM record to your DNS?

DKIM record DNS settings

You can add the DKIM record by publishing your public key to your DNS record as a text (TXT) record. You need to check with your DNS provider to see if they allow more than 255 characters in the input field or not. If they don’t allow you, you may have to increase the size or create the TXT record itself. After that, you have to save the private key to your SMTP server or MTA (mail transfer agent).

How can I test if I set up DKIM correctly?

Once you’ve set up DKIM for an email service, you can send a message to an email address you manage and check the DKIM-Signature and Authentication-Results headers to make sure DKIM passed successfully. You can also use DMARC reports to check that the messages sent using your domain are correctly authenticated with DKIM and SPF. 

Relation between DKIM and DMARC

What is DMARC?

DMARC stands for “Domain based Message Authentication, Reporting, and Conformance.” It is an email authentication, policy, and reporting protocol that is built around both SPF and DKIM. 

You might be wondering why DMARC is necessary, when both DKIM and SPF are already being used. It ensures that when an email is received, the information received in both records matches the “friendly ” domain that the user sees and the form address that is contained in the message’s header.  A DMARC record is created when you have both SPK and DKIM in place. Sometimes many domains don’t have SPF or DKIM set up, so the best way to go about it is through DMARC implementation tools. DMARC setup is similar to that of SPF as it is a simple one-line entry in the domain’s DNS records. It ties the DKIM and SPF protocols with a consistent set of policies. You can conduct a DMARC test to verify whether the record is published correctly or not and check where your DMARC reports are being sent to.

Conclusion

We hope you find this article insightful. You can also hire a DKIM service provider who can make this process easy for you. Since it is a technical process so hiring a service provider will be a better option.ProDMARC assists you in ensuring DMARC implementation with both the company and third-party vendors. ProDMARC, as a product built on a mission to achieve safe and spoofing-free email networks across the entire internet room, allows DMARC reporting, providing volumes and patterns of outbound mails, including phishing campaigns, and yields proof for outbound mails’ reliability in terms of SPF, DKIM, and DMARC compliance. Get Started with top-class cybersecurity solutions for your business at ProgIST. Get in touch with us for the best cybersecurity solutions.

Categories
Uncategorized

What is the DKIM selector and how does it work?

There are 150,465 live websites using DKIM.

But what is DKIM?

DKIM stands for Domain Keys Identified Mail which is an email authentication technique that helps the receiver to check whether the email was sent and authorized by the owner of that domain. It is done by giving the email a digital signature. It is a header added to the 

DKIM

message and is secured with encryption. The DKIM signatures are not visible to end-users and the validation is done on the server level.

What is a DKIM selector?

The DKIM selector is a string used by the outgoing server to detect the private key to sign the email message and by the receiving server to detect the public key to verify whether the email message is from a trusted source or not. 

Every time a private or public key pair is generated, a tuple { selector, private key, public key } is created, where the selector is used to detect the private key and the public key.

How does the DKIM selector work?

DKIM Selector

When the signing server chooses the selector, the server makes use of the selector to find the private key only accessible to the server, to decode the signature. Once the signature is decoded, the DKIM selector is inserted in the email headers as an s= tag, then the email is sent.

Let us understand by the following example:

Let’s consider that the selector chosen by the signing server is s1, the tag will look like s=s1. Further, the selector can be any arbitrarily chosen string like itismyselector1122, as long as it is indicating towards a valid private or public key pair.

Here is a practical example of DKIM signature header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dmarcly.com; h=content-transfer-encoding:content-type:from:mime-version:subject: x-feedback-id:to; s=s1; bh=jCC0oQBCKfJ10bCI3PCG52Zwowyeh1haGJPACkWN9F4=; b=GzLBVZ0M1hMt1Y7hVT+ajaNrswTv+/FFVMrcaixD70hpTJwAmNwZUKJIzLslSC+iWHby 9gm+yfx6Z1qnXIL6qgBPnlZD4zwyK4D3Umd1je82jniuD7RJWYDqJH0zL+EevCDdoVZGmT IlxzZB6v95bws6539z/5qee+Xmu5KYe4Y=

Here the DKIM selector used in the DKIM signature is s=s1.

When the email reaches the receiving server, the server automatically looks at the email headers to locate the s= tag. Now if the tag is present then the server will perform the role of extracting the selector from the tag. 

When the public key is found, the server makes use of it to decrypt the message to verify the integrity. If the integrity is verified, the DKIM authentication succeeds otherwise it fails.  

In case no public key is found then the DKIM authentication fails. 

How do I find my DKIM selector?

A DKIM selector is specified when the private or public key pair gets created when it is set up for the email sender, and it can be any random or arbitrary string of text.

The selector is inserted into the DKIM-Signature email header as an s= tag when the email is sent. The easiest way to discover the selector for your domain is by sending an email to yourself. 

When you open the email, view the “original message” of the email. Your focus here is to view the header information, which includes all the DKIM authentication results.

Search the headers for “DKIM-signature” to find if the DKIM signature is applied to the message or not. If there are multiple DKIM-Signature headers, find the one which contains your domain. This DKIM signature contains an attribute “s=” which is the selector used. 

Relationship between DKIM and DMARC

DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance.” It is an email authentication, policy, and reporting protocol that is built around both SPF and DKIM. 

Now you might be wondering when DMARC uses both DKIM and SPF then why it is necessary. It ensures that when an email is received, the information received in both records matches the “friendly form” domain that the user actually sees and the form address that is contained in the message’s header.  A DMARC record is created when you have both SPK and DKIM in place. Sometimes many domains don’t have SPF or DKIM set up, so the best way to go about it is through DMARC implementation tools. DMARC setup is similar to that of SPF as it is a simple one-line entry in the domain’s DNS records. It ties the DKIM and SPF protocols with a consistent set of policies.

Now, why do we need to use SPF, DKIM, and DMARC together?

The combination of these security protocols helps to combat the issue of Spam and Spear Phishing. Many networks are compromised because of these issues so the IT managers are looking for a better solution. Along with the increased rise in ransomware which often is preceded by spear-phishing emails, the enterprises are getting motivated towards protecting their email infrastructure.

Each of the elements- SPF, DKIM, and DMARC solves a somewhat different piece of the email puzzle to prevent phishing emails and spam. This is accomplished through a combination of standard authentication and encryption tools such as public and private key signing, and adding special DNS records to authenticate email coming from your domains.

Also, there has been significant evolution in the internet’s email protocols. Now emails are used by everyone to facilitate everyday communication.  So when the email infrastructure implements all these protocols, it can be ensured that messages cannot be easily forged and you can block them from ever-darkening your users’ inboxes.

Conclusion

DKIM is an email authentication technology that has been around since 2005. It is a method of adding a tamper-proof seal to the emails and ensuring that the emails are protected and safe. DMARC combines the elements of DKIM and SPF and ensures a secured way to deal with spam and spear phishing.  

ProDMARC is a user-friendly DMARC email protection solution that acts as your expert guide to help you move as quickly as possible to a reject policy. ProDMARC is a SaaS solution that enables organizations to handle complex DMARC deployments with ease. Across all email networks, the solution offers 360-degree visibility and governance. 

Contact us for the best email authentication solutions.

Categories
Uncategorized

What does a DMARC record look like and how do I generate it?

A DNS txt record published in your public DNS is known as a DMARC record. This is a DMARC record, as indicated by the DMARC version tag. The receiver would be able to recognize this as your DMARC record if they query your public DNS.

The policy tag is the DMARC policy you set for DMARC emails that fail SPF and DKIM authentication; in other words, it’s the action you recommend to your email recipients when they receive emails that you haven’t approved as legitimate. Depending on the results of your DMARC report study, you can choose from three different policies.

DMARC Analyzer

The email address to which you want DMARC aggregate reports sent is the DMARC aggregate tag. These reports are usually sent to a DMARC analyzer for further review. They provide information about the origins of your emails as well as the results of your SPF and DKIM authentication on the email receivers’ end. This data is used to classify and authenticate all valid email sending sources.

ProDMARC assists you in quickly generating DMARC records. You can generate a sample DMARC record with ProDMARC. You configure DMARC by applying policies to your domain’s DNS records in the form of TXT records once SPF and DKIM are in place (just like with SPF or DKIM).

DMARC was aimed at:

  • Reducing false negatives
  • Providing authentication reports
  • Apply sender policies at the receiving end
  • Reduce phishing
  • Be scalable

1. Example

“v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com” 

In this scenario, the sender defines the policy as such that the receiver outright rejects all non-aligned messages and sends a report about the rejections to a specific email address. If the sender were to use the “quarantine” setting in the policy, it would look like:

“v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@dmarcdomain.com”

and would request the action to quarantine on the receiving end of the message. In the next example, if a message claims to be from your domain.com and fails DMARC, no action is taken. Instead, these messages will then show up in your daily aggregate report sent to

“v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com”

Here is a sample where the message fails DMARC, then quarantines it 5% of the time.

“v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com”

In this sample, the policy is set to reject the message 100% of the time and send the daily report to the specified address of dmarc@your_domain.com.

“v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com, mailto:dmarc@your_domain.com”.

2. Common tags used in DMARC TXT records:

TagName   RequiredPurposeSample
v             requiredProtocol Versionv=DMARC1
prequiredProtocol for Domainp=quarantine
pctoptional% of message subjected to filteringpct=20
ruaoptionalReporting UTIof aggregate reportrua=mailto:postmstr@domain.com
spoptionalPolicy for subdomains of the domainsp=r
ASPFoptionalAlignment mode for SPFaspf=r  

Only the v (version) and p (policy) tags are required. Three possible policy settings are available:

  • none – Take no action. Only log the affected messages in the daily report.
  • quarantine – Mark affected messages as spam.
  • reject – Cancel the message at the SMTP layer.  
DMARC Policy

The study in which sender records are compared to SPF and DKIM signatures is known as DMARC alignment mode. There are two options for values: a relaxed “r” or a rigid “s.” Partial matches, such as subdomains, are allowed with some relaxation, whereas strict matches demand an exact match.

If you use the optional rua tag, make sure to include an email address where the regular updates will be sent.

3. Deploy your DMARC policy slowly

Since the DMARC specification recognizes that scaling out the deployment all at once can be difficult for certain organizations, there are some built-in methods for “throttling” the DMARC processing so that complete deployment can be achieved in stages over time.  

The first step is to keep an eye on your traffic and reports. Assess the vulnerabilities (where messages are sent without being digitally signed or from invalid source IP addresses) and use SPF and DKIM records to address them.

As you become more comfortable with the findings from your regular aggregate reports, you will adjust the action on your policies to start quarantining. You can do this by using DMARC to change your TXT record to use the “quarantine” action. Keep an eye on your daily reports.

After you’ve been tracking your traffic and regular reports for a while and are certain that the sources seen sending traffic on behalf of your domain are all digitally signed, you can proceed to the next phase, which is modifying the policy to use the “reject” tag to completely deploy DMARC. Monitoring your reports and your spam feed is an essential part of maintenance for DMARC compliance.

It’s also worth noting that the pct tag, which is optional, can be used to sample your DMARC implementation in increments. Since 100% is the norm, setting “pct=20” in your DMARC TXT record causes one-fifth of all messages affected by the policy to receive the disposition rather than all of them. When you want to quarantine and reject mail, this setting is particularly useful. Start with a lower percent to begin with, and increase it every few days.

When you are ready to complete the DMARC setup, remove the percentages from your policies so that the full action of “quarantine” and “reject” is now functioning at 100%. As always, monitor your daily reports.

4. Use a user-friendly DMARC analyzing software

ProDMARC is a user-friendly DMARC email protection solution that acts as your expert guide to help you move as quickly as possible to a reject policy. ProDMARC is a SaaS solution that enables organizations to handle complex DMARC deployments with ease. Across all email networks, the solution offers 360-degree visibility and governance. Contact us for the best email authentication solutions.