What! My domain can be spoofed even if we configured a Strict -all DNS SPF/TXT entry? / FOR TECHIES ONLY
When an eMail comes in, here is what happens : (I made it a bit simpler…)
The sending mail server present itself EHLO/HELO my name is mail.some-domainA.com
I would like to send an eMail from me@somedomainB.com (RFC5321.mailFrom / Return Path Address / Bounce address / Envelope From address ) The end user do not see that address…
SPF VERIFICATION using STEP 2 domain’s SPF and if it’s not working, STEP 1 domain’s SPF. “ Ok somedomainB.com every looks good, you’re talking to me from Authorized/listed IP on your SPF public DNS entry for somedomainB.com “
DKIM SIGNING : eMail can be signed and pass DKIM AUTH using d=some-other-domain.com !! This domain can be anything else, it still has nothing to do with the domain the end user/recipient will see (RFC5322.From/HeaderFrom) and nothing to do with the SPF domain(RFC5321.MailFrom)!
“BY THE WAY, here is my digital signature d=some-other-domain.com you can look it up on the web, it’s legit, I’m me! “ Here the receiving server will verify the public DKIM KEY (DNS ENTRY) Some Key Pair stuff
SPOOFING : “BTW I AM I bob@wellk-known-company.com “ (RFC5322 / Header From / Friendly from ) THE FROM THE END USER WILL SEE! (the domain used to spoof has no DMARC entry or has one with a policy p=none ( Monitoring mode) allowing to be spoofed.
RESULT
A- Someone has received an eMail from bob@wellk-known-company.com (spoofing)
B- well-known-company.com will have their domain used in some SPAM campaigns(Phishing attacks, Virus, social engineering attack) and in bonus, their domain will end up on several Black Lists or worst (blocked by some major providers LOCAL policies and that you’ won’t know easily unless you use DMARC Monitoring, then you “could” know some provider’s local policy is blocking your domain)…
THEY ARE LOOKING FOR YOU, THE p=none of the world !
Hackers are using different methods to find domains allowing spoofing…. They are looking for you everyday…. Protect your GOOD-WELL-KOWN-COMPANY.com domain…
HOW TO PREVENT THIS :
If the wellk-known-company.com domain had a DMARC entry p=quarantine or reject then at STEP 5 here is what would have happened
Hello Bob from wellk-known-company.com nice to meet you ! Please give me a minute
Mmmm Shit ! Bob domain doesn’t ALIGN with SPF domain ( Step 3) AND doesn’t ALIGN with DKIM signature domain (STEP 4). Who is this guy !
Sorry BOB You’re not welcome here ( email will be quarantine or reject if the DMARC policy is configured to do so…. If the DMARC policy is p=none (monitoring mode) Spoofing will be allowed.
THE MAGIC : With DMARC, the domain the receiving person see(end user), the RFC5322.From/Header From, need to match at least one of the two domains used for authentication : SPF domain and/or DKIM d=domain. Else, the DMARC policy will be applied
I JUST LIED to you, sorry: the receiving server can do whatever they want with their own local policies, they are not “forced” to respect your DMARC policy. But some are cool, if they ignore your DMARC policy, there is a chance they will share that info with us, and DMARC Monitoring will allow us to get that feedback from them….
DMARC IS THE ONLY MECHANISM THAT CAN PREVENT SPOOFING……
Bonus : don’t use a strick DNS SPF -all when using DMARC (p=quarantine or none). DKIM won’t work properly (randomly). When SPF fails( whatever the reason, many possible scenarios) several Mail server/MTA won’t consider the DKIM signature and then, DKIM won’t be able to save the day (FailSafe). The communication will stop at the SPF verification level and your eMail will be quarantined or rejected(depending of the DMARC policy “ or “ the receive mail server local policy). Use a SoftFail SPF ~all, if something goes wrong during the SPF validation, then, the receiving mail server will consider your DKIM signing…
DMARC in the news
https://www.securityweek.com/us-says-north-korean-hackers-exploiting-weak-dmarc-settings/
https://www.uriports.com/blog/demystifying-dmarc-alignment/
lastspam.com