fbpx

Mail Security: SPF, DKIM, and DMARC

by | Oct 25, 2023 | Cybersecurity | Blog, Prominic News | 0 comments

We all know how important mail security is and our own Triston Dixon last week presented a webinar on the subject that was originally prepared for Collabsphere 2023. Since that session ended up having to be canceled at the time, the webinar attendees got a chance to learn more about SPF, DKIM, and DMARC, as was originally planned. 

WHY ARE SPF, DKIM, and DMARC important?

Here is why these records are important:

  • all of them add credibility to your domain
  • They help protect your users from phishing/spoofing attempts
  • It is an important part of your email security infrastructure to have each of these records in place for your domain.

SPF Records

SPF Records short for Sender Policy Framework are the ones that validate what IP addresses and host names are authorized to send email on behalf of your domain. They help prevent spammers from sending on behalf of your domain and also add long-term credibility to your domain.

Here is an example of a standard SPF record:

SPF Record

You will need to set this up as a TXT record in the public DNS for your domain.

There are different types of switches that are used:

  • mx: specifies the IPs of the MX records for your domain
  • a: specifies a fully qualified domain name
  • Include: specifies a domain name and will also consider the SPF for that specific domain
  • ip4: specifies an IP address
  • ~all: This is a soft fail for the SPF record. It will allow mail that does not pass the record through, but it may be marked as spam.
  • -all: This is a hard fail for the SPF record. It will block any messages for your domain that do not originate from the servers specified in the SPF record.

DKIM Records

DKIM Records, short for DomainKeys Identified Mail, are the records that sign all outgoing emails for your company domain with an encrypted key. They allow recipients to tell if an email has been tampered with during transit.

DKIM Records are important because they help prevent phishing/spoofing attempts for your domain. They also add credibility to all outgoing emails for your domain as well as build a long-term domain reputation over time.

Here is an example of a DKIM Flow Chart:

DKIM Records

You can implement DKIM configuration for Domino as of Domino 12.0.1. In order to create a DKIM key for your domain, you will need to make sure you have an existing credstore.nsf on your Domino server.

If you don’t have a credstore in place on your Domino server, you can create one by using the following commands:

Once you have completed that step you can start generating a DKIM key:

You can then use the following command to export the key to a TXT which you will then add to your DNS:

Once you have generated the record you need to add it to the public DNS for your domain along as a TXT record. The hostname for the TXT record will be the name you gave the selector. The hostname that would be used for the example record is as follows:

  • 12345._domainkey

After you have verified that the public DNS is updated you will need to apply the following router setting on your Domino server:

DMARC Records

DMARC Records, short for Domain-based Message Authentication, Reporting, and Conformance, are the records that tell a recipient’s server to either Quarantine, Reject, or Allow a message to continue delivery.

They will verify that all the messages that are received from your domain to a recipient’s server are passing an SPF check as well as a DKIM check.

To implement DMARC you will add it as a TXT record to your domain’s public DNS. Here is an example record:

DMARC Records

The example record has the policy set to none which means that it will allow all mail.

Here are the policy switches for DMARC:

Implementing DMARC is not a one-off action. You need to monitor the DMARc reports that are being generated as well as verify that there are no messages that are originating from your organization but are failing the SPF/DKIM checks. 

If you detect messages that are failing you will then verify that you have their sending servers included in the SPF record as well as signing with the DKIM key.

You can find the DMARC email reports in a ZIP file that will include an XML report for you to review. Here is an example of an IP that passed:

Here is an example of a situation when the reported IP passed DKIM but failed SPF. This indicates the IP potentially needs to be added to the SPF record.

Spam Filters

As you might imagine spam filters are an important part of your mail security infrastructure. Antispam protection is going to filter all incoming emails for your domain to help protect your users from phishing scams, viruses, and spam in general.

Here are some features that anti spam filters offer:

  • Attachment defense/ Sandboxing
  • URL defense
  • Domain spoofing protection
  • Backscatter protection
  • Email tagging

Introducing a carefully selected compilation of renowned spam filters:

  • SpamSentinel from Maysoft
  • Proofpoint
  • Barracuda
  • Mimecast

Domino 12.0.2: ICAP

ICAP, short for Internet Content Adaptation Protocol, was introduced in the 12.0.2 version of Domino and is a tool that scans incoming attachments in mail messages for viruses. It does require a third-party ICAP protocol server to do the virus scanning and it has been tested with Trend Micro web security and McAfee web gateway. 

The recording of Tristan’s webinar is below:

If you need a hand with securing your email servers just drop us a line and we will help you have a more secure email.