avatarTeri Radichel

Summary

The web content provides guidance on enhancing email security by implementing DMARC, which works in conjunction with DNSSEC, SPF, and DKIM, and includes instructions and resources for setting up DMARC records, common issues, and testing email security configurations.

Abstract

The article emphasizes the importance of DMARC as the next step in email security, following the implementation of DNSSEC, SPF, and DKIM. It guides readers through the process of setting up a DMARC record, with a focus on using Google's instructions for generating the record and customizing it for individual domains. The author, Teri Radichel, shares personal experience with common mistakes and the importance of accurate record configuration. The article also highlights the limitations of Google's support for DMARC failure reports (ruf) and provides steps for adding a TXT record in Route 53. Additionally, it offers resources for further learning and testing of email security measures, encouraging readers to follow for updates and consider professional cybersecurity services.

Opinions

  • The author believes that DMARC is a critical component in improving email security, suggesting that it should be implemented after DNSSEC, SPF, and DKIM.
  • Teri Radichel acknowledges the complexity of setting up DMARC correctly and the potential for typos or errors, recommending a review of common problems with DMARC records.
  • There is an expressed preference for using Google's instructions for generating a DMARC record, indicating trust in Google's guidelines for those using Google for email.
  • The author points out a limitation with Google's DMARC support, specifically the lack of support for ruf, which are forensic or failure reports, indicating a desire for more detailed failure information.
  • The article conveys the importance of validating emails and DNS TXT records, suggesting that readers refer to previous posts and external resources for guidance on creating and testing these records.
  • Teri Radichel encourages continuous learning and testing, providing a link to a future post on testing email security configurations and inviting readers to sign up for an email list for updates.
  • The author promotes her professional services, indicating a belief in the value of expert assistance for cybersecurity, cloud, and application security needs.

DMARC for Email Security

The next step to improving email security with DNSSEC, SPF, DKIM and DMARC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Google Security | AWS Security | DNS Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’ve been showing you how to improve security for DNS and email in the last few posts, starting with DNSSEC.

The next DNS record we’re going to add to improve email security is called a DMARC record.

Note that you will either need to set up SPF or DKIM before setting up DMARC (and both is better). I have a post on SPF prior to DKIM. I showed you how to set those up in the following posts.

I’m using Google’s instructions here to generate a record. You’ll need to refer to your own email provider instructions if you don’t use Google for email.

If you read through that article it provides a sample record:

It also tells you what each of those values means. I’m not going to repeat the whole table here but it starts like this:

I took the sample above and swap out the emails for my own. I also want to quarantine records to see what’s getting rejected — at least initially.

The problem with the record

v=DMARC1; p=quarantine; rua=mailto:postmaster@[yourdomain]; ruf=mailto:dmarc@[yourdomain]; pct=100; adkim=s; aspf=s

Initially I had some typos in my records. Refere to this post to check for common errors:

What is interesting is that Google does not support ruf which are forensic or failure reports, and after implementing DMARC I really could have used more details about failures.

Next we head over to our domain at Route 53 and add a TXT record, the way we did in prior posts.

Name: _dmarc:

Value: Your dmarc policy shown above.

Make sure you change your emails in the above policy to valid emails for your domain.

Refer to my prior posts if you are unfamiliar with how to create DNS TXT records.

If you want to test out your policies you can find more in this post:

https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf

References with more information if you want to get more into the details of how this all works and why you should set it up:

In the next post, I take a look at how to test if your email security is working as expected.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Dmarc
Email Security
Cybersecurity
Cloud Security
DNS
Recommended from ReadMedium
avatarVasileiadis A. (CyberKid)
How to Use Proxychains

In this article, we will explain what they are proxychains, their possible uses, how to install them on Kali and Ubuntu, and whether they…

13 min read
avatarVlad Yashin
Enhancing Zero Trust Security with AI

Long-form story about how AI helps fight hackers, fraudsters & data thieves.

6 min read
avatarThe Useful Tech
Why Apple Passwords Is The Only Password Manager You Need

Read This If You Are Still Paying For A Password Manager

7 min read
avatarEmerson Rose
CNAPP: The Future of Cloud Security

As businesses continue to migrate to the cloud, securing these digital environments becomes increasingly crucial. Enter CNAPP (Cloud-Native…

3 min read
avatarYogasatriautama
SOC: Install OpenCTI

OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed to collect, store, and utilize cyber threat data. It helps…

5 min read
avatarCloud Hacks
Streamline Security: Passwordless Authentication Solutions

Enhance your security with passwordless authentication solutions. Learn how these innovative solutions can revolutionize your…

10 min read