Khan Rahman
asked on
SPF record implementation monitoring
We are investigating the option of implementing an SPF record for our email environment. Due to it being a DNS specific record, I was wondering if there are any capabilities to monitor email that is blocked as a result of implementing the SPF record?
For example:
Scenario 1 - We want to see the email that is actually being blocked/spoofed
Scenario 2 - We implemented the SPF record, and we missed one legit IP. We want to be able to monitor if we miss a critical email from a customer/vendor.
Are there options/tools to monitor SPF records?
For example:
Scenario 1 - We want to see the email that is actually being blocked/spoofed
Scenario 2 - We implemented the SPF record, and we missed one legit IP. We want to be able to monitor if we miss a critical email from a customer/vendor.
Are there options/tools to monitor SPF records?
1) You can setup a DMARC record to receive reports of pass/fail percentages from various Mailbox Providers...
For example... for domain foo.com a record like...
Setting p=none; sp=none; creates a report only DMARC record, which best be your first step.
2) This will only tell you how Mailbox Providers are evaluating mail from your domain. This will not tell you what action they take.
3) What you're looking for is...
a) 100% SPF + DKIM fail - from IPs attempting to spoof your mail addresses.
b) 100% SPF + DKIM pass - from IPs authenticated to send mail on your behalf.
4) This is a little tricky. For example, if you send an email to a Gmail address the following occurs.
a) No SPF or DKIM records - Gmail will refuse to accept your mail.
b) SPF correct + DKIM present + DKIM incorrect - Gmail will accept your mail + flag it as SPAM... many moves to inbox are required, to get mail to inbox consistently.
c) SPF correct + DKIM present + DKIM correct - Gmail will accept your mail + flag it as SPAM, till first time mail is moved to inbox, future email will land in your inbox.
You can see this is complex.
Rule: Always tool your SPF + DKIM signatures correctly.
Tip: To determine if your DKIM signing is correct, send an email to a Gmail address, then navigate to the message -> more -> Original Message.
Just below the headers you'll see a note of DKIM pass or fail.
For example... for domain foo.com a record like...
_dmarc.foo.com. 600 IN TXT "v=DMARC1; p=none; sp=none; fo=1; adkim=s; aspf=s; pct=100; rf=afrf; ri=86400; ruf=mailto:dmarc@foo.com; rua=mailto:dmarc@foo.com;"Setting p=none; sp=none; creates a report only DMARC record, which best be your first step.
2) This will only tell you how Mailbox Providers are evaluating mail from your domain. This will not tell you what action they take.
3) What you're looking for is...
a) 100% SPF + DKIM fail - from IPs attempting to spoof your mail addresses.
b) 100% SPF + DKIM pass - from IPs authenticated to send mail on your behalf.
4) This is a little tricky. For example, if you send an email to a Gmail address the following occurs.
a) No SPF or DKIM records - Gmail will refuse to accept your mail.
b) SPF correct + DKIM present + DKIM incorrect - Gmail will accept your mail + flag it as SPAM... many moves to inbox are required, to get mail to inbox consistently.
c) SPF correct + DKIM present + DKIM correct - Gmail will accept your mail + flag it as SPAM, till first time mail is moved to inbox, future email will land in your inbox.
You can see this is complex.
Rule: Always tool your SPF + DKIM signatures correctly.
Tip: To determine if your DKIM signing is correct, send an email to a Gmail address, then navigate to the message -> more -> Original Message.
Just below the headers you'll see a note of DKIM pass or fail.
More concisely...
1) We want to see the email that is actually being blocked.
Impossible, because this is based on the Mailbox Provider's internal policy. What action they take depends on many factors, including recipient behavior.
2) We want to see the email that is actually being spoofed.
Easy with DMARC reports. You'll look for IPs with 100% SPF fails + 100% DKIM fails, where the IPs are unknown to you + should not ever send mail on your behalf.
3) We implemented the SPF record, and we missed one legit IP. We want to be able to monitor if we miss a critical email from a customer/vendor.
Easy with DMARC. Same as #2, except IPs are known to you + you'll add these to your SPF list.
1) We want to see the email that is actually being blocked.
Impossible, because this is based on the Mailbox Provider's internal policy. What action they take depends on many factors, including recipient behavior.
2) We want to see the email that is actually being spoofed.
Easy with DMARC reports. You'll look for IPs with 100% SPF fails + 100% DKIM fails, where the IPs are unknown to you + should not ever send mail on your behalf.
3) We implemented the SPF record, and we missed one legit IP. We want to be able to monitor if we miss a critical email from a customer/vendor.
Easy with DMARC. Same as #2, except IPs are known to you + you'll add these to your SPF list.
ASKER
Thanks everyone for the feedback.
Can you tell me if there is another similar option to avoid spoofing, aside from using SPF?
Can you tell me if there is another similar option to avoid spoofing, aside from using SPF?
You asked, "Can you tell me if there is another similar option to avoid spoofing, aside from using SPF?"
There is no other way.
The entire point of SPF is to notify Mailbox Providers when someone is spoofing/forging a From: address.
So SPF is how you will accomplish this task.
There is no other way.
The entire point of SPF is to notify Mailbox Providers when someone is spoofing/forging a From: address.
So SPF is how you will accomplish this task.
Without DMARC you will not get notifications. With DMARC setup, well sometimes....
The domain of that email address needs to publish a record that it is willing to receive your mails.
and your domain = example.org
so: you mention
ruf:example.com rua:rua@example.com
then the following DNS record needs to exist
example.org._report._dmarc
When processing dmarc reports you may need tooling like opendmarc for processing the .XML files.
Besides SPF you may consider implementing DKIM which is a bit more involved in proving you are indeed the sender.
_dmarc.example.org. 600 IN TXT "v=DMARC1; p=none; sp=none; fo=1; adkim=s; aspf=s; pct=100; rf=afrf; ri=86400; ruf=mailto:ruf@example.com; rua=mailto:rua@example.com;"The domain of that email address needs to publish a record that it is willing to receive your mails.
and your domain = example.org
so: you mention
ruf:example.com rua:rua@example.com
then the following DNS record needs to exist
example.org._report._dmarc
When processing dmarc reports you may need tooling like opendmarc for processing the .XML files.
Besides SPF you may consider implementing DKIM which is a bit more involved in proving you are indeed the sender.
ASKER
Hi all, we have been using mxtoolbox for a few weeks now, and not finding it easy to see the results.
Can you tell me any other tools to monitor SPF results?
Can you tell me any other tools to monitor SPF results?
Did you setup DMARC? if not no mailer will tell you about results of checking. [ unless you get error codes on rejection ].
If you setup DMARC, some mailers MAY report back. (there is no requirement for that).
You will then receive statistics about the amont of mails received, accepted, rejected, ...
If you setup DMARC, some mailers MAY report back. (there is no requirement for that).
You will then receive statistics about the amont of mails received, accepted, rejected, ...
ASKER
Hi All,
We have implemented our dmarc on monitor only, and SPF record. And now are monitoring.
We would also like to implement DKIM now. In the scenario where I have an on-prem exchange 2013, and other providers sending email on our behalf, my understanding is that:
- I have to install DKIM and keys on my exchange server for my on-prem
- I have to provide the third parties with my public key, to sign our emails (and some providers do not do DKIM)
I have been reading different articles on DKIm, but not understanding completely. Can you confirm if my understanding is correct for DKIM?
We have implemented our dmarc on monitor only, and SPF record. And now are monitoring.
We would also like to implement DKIM now. In the scenario where I have an on-prem exchange 2013, and other providers sending email on our behalf, my understanding is that:
- I have to install DKIM and keys on my exchange server for my on-prem
- I have to provide the third parties with my public key, to sign our emails (and some providers do not do DKIM)
I have been reading different articles on DKIm, but not understanding completely. Can you confirm if my understanding is correct for DKIM?
You need DKIM on all senders. You can use a different key for each sender.
(the sender also specifies the key to use aka selector)
The public key is stored in DNS so, the distribution of your public key(s) has been taken care of.
you can have as many as you can find names for in DNS. virtualy unlimitted.
Also key rollover is not a problem, issue a new key assign it to a different selector and provide the right system manager/ mail provider with the right key.
Revocation of key: just remove the DNS selector record.
(the sender also specifies the key to use aka selector)
The public key is stored in DNS so, the distribution of your public key(s) has been taken care of.
you can have as many as you can find names for in DNS. virtualy unlimitted.
Also key rollover is not a problem, issue a new key assign it to a different selector and provide the right system manager/ mail provider with the right key.
Revocation of key: just remove the DNS selector record.
ASKER
Thanks for the response.
So is the process then to do the following:
- put the key in the on-prem exchange - then post to DNS to make it publicly verified
- give a new public key to another vendor, they install on their system - then we post to our DNS to make it publicly verified
- rinse and repeat for all systems sending on behalf of our domain
And my understanding is that DKIM does not have to be used on all external parties, just the ones we want to pass on DKIM? or will there be any impact to us if we miss one? I believe it would just fail the DMARC check.
So is the process then to do the following:
- put the key in the on-prem exchange - then post to DNS to make it publicly verified
- give a new public key to another vendor, they install on their system - then we post to our DNS to make it publicly verified
- rinse and repeat for all systems sending on behalf of our domain
And my understanding is that DKIM does not have to be used on all external parties, just the ones we want to pass on DKIM? or will there be any impact to us if we miss one? I believe it would just fail the DMARC check.
1) Both dmarcian + mxtoolbox provide good testing tools. If you have unexpected results, this relates to your config being slightly broken, rather than these tools.
2) I have to install DKIM and keys on my exchange server for my on-prem.
You'll normally use the opendkim code + generate a signing key for each different domain.
3) I have to provide the third parties with my public key, to sign our emails (and some providers do not do DKIM).
Not explicitly. This is handled via DNS.
You publish your DKIM selector record + then 3rd parties use this info at their discretion.
4) You asked, "And my understanding is that DKIM does not have to be used on all external parties, just the ones we want to pass on DKIM? or will there be any impact to us if we miss one? I believe it would just fail the DMARC check."
No, as I mentioned in #3 this is all handled by publishing your DNS records correctly, so no other work on your part, after you publish your DKIM selector record(s).
2) I have to install DKIM and keys on my exchange server for my on-prem.
You'll normally use the opendkim code + generate a signing key for each different domain.
3) I have to provide the third parties with my public key, to sign our emails (and some providers do not do DKIM).
Not explicitly. This is handled via DNS.
You publish your DKIM selector record + then 3rd parties use this info at their discretion.
4) You asked, "And my understanding is that DKIM does not have to be used on all external parties, just the ones we want to pass on DKIM? or will there be any impact to us if we miss one? I believe it would just fail the DMARC check."
No, as I mentioned in #3 this is all handled by publishing your DNS records correctly, so no other work on your part, after you publish your DKIM selector record(s).
Tip: Setting up DKIM + actually getting it working are complex.
If you send low volume mail, use a relay service like MailGun, which allows first 10K messages free each month.
If you're running high volume mail + must do in house DKIM signing, verify your DKIM signing by this simple test.
1) Send an email to a Gmail user.
2) Navigate to the message inside Gmail.
3) Click the more (3x dots) icon.
4) Select Show Original.
5) In the provided debug output, you'll see a DKIM pass/fail.
This little trick makes debugging DKIM problems a snap.
If you send low volume mail, use a relay service like MailGun, which allows first 10K messages free each month.
If you're running high volume mail + must do in house DKIM signing, verify your DKIM signing by this simple test.
1) Send an email to a Gmail user.
2) Navigate to the message inside Gmail.
3) Click the more (3x dots) icon.
4) Select Show Original.
5) In the provided debug output, you'll see a DKIM pass/fail.
This little trick makes debugging DKIM problems a snap.
you hand out the PRIVATE key to implement it on a mailserver.
The Public key goes to DNS.
If those are external mail suppliers then provide each with their own key..., that way you can easily revoke usage by removing the DNS entry.
You can have a unlimited amount of keys, also those keys a re generated by yourself.., so there is no monetary compensation involved to leave the company. (ie. they are cheap.)
The Public key goes to DNS.
If those are external mail suppliers then provide each with their own key..., that way you can easily revoke usage by removing the DNS entry.
You can have a unlimited amount of keys, also those keys a re generated by yourself.., so there is no monetary compensation involved to leave the company. (ie. they are cheap.)
ASKER
Question on DKIM implementation. If the vendor in question that is sending on our behalf provides me their key. The process I understand is:
1. receive the txt value from them (generated from their key)
2. input into my public DNS space
3. monitor my DMARC to see if vendor is now passing on DKIM
Correct, or am I missing something?
1. receive the txt value from them (generated from their key)
2. input into my public DNS space
3. monitor my DMARC to see if vendor is now passing on DKIM
Correct, or am I missing something?
Your sequence looks good.
Suggestion: About DMARC records. Best to always start with report only DMARC (policy=none; sp=none;) as any other level of policy strictness can cause unforeseen deliverability problems. Start with a record of this form...
Changing foo.com to your domain.
Suggestion: About DMARC records. Best to always start with report only DMARC (policy=none; sp=none;) as any other level of policy strictness can cause unforeseen deliverability problems. Start with a record of this form...
_dmarc 300 IN TXT "v=DMARC1\; p=none\; sp=none\; fo=1\; adkim=s\; aspf=s\; pct=100\; rf=afrf\; ri=86400\; ruf=mailto:dmarc@foo.com\; rua=mailto:dmarc@foo.com\;"Changing foo.com to your domain.
ASKER
Thank you for confirming. And yes, our DMARC policy is none currently, so we can iron out these issues that are found.
We are trying to get to the point of turning it on quarantine mode.
We are trying to get to the point of turning it on quarantine mode.
Keep in mind with "policy=quarantine;sp=quar
Destroy all your Inbox Traction.
This is very bad.
Had this happen to a client. What "policy=quarantine;sp=quar
If any SPF or DKIM percentage fails, per DMARC record, ignore any previous mail flagged as ham (move to inbox), then flag all mail as spam.
This can destroy near 100% of all income, if some new mail system is used + SPF/DKIM settings are incorrect.
Suggestion: Always run with "policy=none;sp=none", track your daily DMARC reports, fix any problems.
Destroy all your Inbox Traction.
This is very bad.
Had this happen to a client. What "policy=quarantine;sp=quar
If any SPF or DKIM percentage fails, per DMARC record, ignore any previous mail flagged as ham (move to inbox), then flag all mail as spam.
This can destroy near 100% of all income, if some new mail system is used + SPF/DKIM settings are incorrect.
Suggestion: Always run with "policy=none;sp=none", track your daily DMARC reports, fix any problems.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
https://mxtoolbox.com/NetworkTools.aspx