I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it essentially allows sends to digitally sign outgoing messages and include signatures in an email header. DKIM provides the ability to authenticate message headers & content for integrity concerns. The sender public keys are published in DNS TXT records.
DKIM will add a signature header to the message & secures it with encryption. The receiving side uses the public key published for the domain in DNS to determine that an email is signed with a valid DKIM signature. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.
Next I will cover the ESA DKIM components:
From Sender's perspective:
Configure DKIM keypair
Create a DKIM Signing Profile
Create and publish DKIM record
Enable DKIM signing in the mail flow policy
From Recipient Perspective:
Enable DKIM verification in Mail flow policy
Configure Content Filtering Conditions/Actions
Apply to Incoming Mail Policy
Understanding DKIM creation/verification is rather straightforward. DKIM lookups will list a domain name and selector for a valid published DKIM key record. The ESA has a tool to aide in generating the DKIM key.
Lastly, I will cover DMARC. Remember that DMARC uses both SPF & DKIM. DMARC will perform an additional SPF check on the header. It will also ensure that all available identities are aligned. Identities being: HELO, Mail From, DKIM Signing Domain, Header From. DMARC aides in specifying a policy for receivers on how they will handle messages.
A published DMARC record basically serves two purposes:
Tell the recipient server to either:
Do Nothing with the Message
Quarantine the Message
Reject the Message
Sends reports to an email address or addresses with data about all the messages seen from the domain
DMARC is another record in DNS just like SPF/DKIM. There are a total of 11 tags that can be applied to a DMARC policy. Of those 11, the "v" and "p" tags are required and it is strongly recommend the "rua" tag as well in order to receive the reports.
v = version
p = policy (quarantine/reject/none)
pct = percentage of email messages subject to filtering. Example, pct=100 means all of your company emails will be filtered by the recipient
rua = This optional tag is designed for reporting URI(s) for aggregate data. An rua example is rua=mailto:CUSTOMER@for.example.com.
ruf = Like the rua tag, the ruf designation is an optional tag. It directs addresses to which message-specific forensic information is to be reported
fo = pertains to how forensic reports are created and presented to users
aspf = represents alignment mode for SPF
adkim = optional alignment mode for DKIM protocol
rf = forensic reporting format
ri = ri tag corresponds to the aggregate reporting interval and provides DMARC feedback
sp = represents the requested handling policy for subdomains
An example is as follows:
_dmarc.google.com IN TXT
"v=DMARC1" = Depicts version
"p=reject" = Failure Policy
"rua = firstname.lastname@example.org" = Aggregate reports uri
The DMARC operation overview is as follows:
Sender point of view:
Publish SPF DNS TXT record
Publish DKIM DNS TXT record
Publish DMARC DNS TXT record
Prepares outgoing message
Recipient point of view:
Fetch DMARC Policy
Apply DMARC Policy Send DMARC Report(s)
That about wraps up this post covering DKIM & DMARC. Check out other email security posts. Cheers!