avatarTeri Radichel

Summary

The website content discusses the process of testing and validating DNS security records such as DKIM, DMARC, and SPF, and the challenges faced by the author while setting up these records and troubleshooting login issues with Buymeacoffee.

Abstract

The author shares their experience with configuring DNS security records, including DKIM, DMARC, and SPF, and the importance of these records in email security. They detail the steps taken to resolve issues with their Buymeacoffee account login and the receipt of DMARC error reports. The author also provides insights into the use of various online tools to test and validate these DNS records, highlighting the discrepancies found in Google's instructions and the actual implementation. The content includes reflections on the author's recent GSE renewal, the exposure of email addresses on certain platforms, and the potential security implications. Additionally, the author expresses concerns about third-party email handling by services like Buymeacoffee and the need for thorough security assessments. The narrative concludes with the author's ongoing efforts to ensure their email security configurations are correct and their intention to monitor and adjust these settings as needed.

Opinions

  • The author questions the accuracy of Google's instructions for setting up SPF and DMARC records, suggesting that they may need updating.
  • They express dissatisfaction with the exposure of their email address on the Buymeacoffee platform after changing their associated email, leading to login issues.
  • The author is skeptical about the necessity and security of implementing BIMI, preferring to wait until the standard is more mature and tested.
  • They believe that DMARC reports and the use of tools like MXToolbox and Mimecast are crucial for diagnosing and resolving email delivery and security issues.
  • The author is critical of the practice of sending support messages through third parties, as it complicates email security and delivery.
  • They are proactive in seeking solutions and alternative methods to ensure their domain's email security is robust, despite encountering persistent issues with email delivery to certain vendors.

Testing DNS records for errors

Validating DKIM, DMARC and SPF records with external sites

One of my posts on Email and DNS security.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

You may have noticed I in my social media posts I recently passed the GSE renewal. If you’re not sure what that is I wrote about it here.

In the middle of trying to wrap that up, I was having issues getting into the buymeacoffee account set up for donations from this site. It’s been about a week now and I still can’t login. I’ve gotten some responses but so far the issue is not resolved.

Update: After writing this someone at the company got back to me and they are prioritizing getting this resolved. It turns out they use Postmark and need to figure out 1.) was the email sent and 2.) was it blocked or failed either due to a configuration on my side or their side or 3.) If it was not sent is there some other problem. Also someone left a bad review on Trust Pilot. That was not me! I’m just trying to determine what is the problem and provided some feedback for things I would fix, if possible, with the service. I once had a small business and didn’t understand security too well…so I’m looking at this from their point of view.

One of the things I noticed is that site exposes your email to someone who sends you a message on the site. Not really happy about that. I went in and changed my email address associated with the account and that’s when I could no longer login. As I wrote about earlier, I got an email from the buymeacoffee.com site right after I changed it — a response from someone named who had kindly made a donation.

That pretty much confirms I am using the correct email to login. I have been known to read too fast or have typos (who doesn’t) so I have looked at that message over and over and tried many times to login and verified that the email address works by sending an email to it. I keep thinking I must be missing something but I can’t find it. I’ve contacted the company and gotten a few responses but so far none of them have actually helped resolve the problem. I am starting to wonder if they are even getting my emails.

After this all started happening I was rushing to set up email security on my domain related to this email. I showed you in prior posts how to set up DNSSEC, an SFP record, DKIM, and DMARC. These things can be tricky and I was in such a hurry I started to wonder if I had done something wrong. The thing is, even if I did something wrong, I wasn’t getting their emails before I set any of this up. Hmm. I think this has to do with me sending them emails and not vice-versa for the most part.

Well, I posted some information for how to test DMARC at the end of that post but there’s a simpler way to quickly test it out. You can plug your domain into various sites that test it — hopefully non-malicious sites.

DMARC error reports

The first thing I took a look at were some DMARC reports coming to one of my emails. I had set that up in my DMARC messages.

That’s odd. I was seeing SPF failures and I had set the SPF record up per Google’s instructions. Turns out those instructions aren’t exactly right. I wondered about that when I set it up because in the past AWS would reject the @ on an SPF record even though it was in Google’s instructions. I ended up resolving that by testing with the sites below and removing the @ symbol. I updated this post.

DMARC test tool from Google

The first one I used was a DMARC test tool from Google. It’s in their documentation and doesn’t work. At least not on my domain. It simply says it can’t reach the domain and times out. It also says my domain has no MX records but it does — Google MX records set up per Google’s instructions — and they seem to be working. I haven’t changed any of that recently. I think for some reason this tool was blocked from reaching my domain.

MXToolbox

A more interesting tool suggested by one of my readers is MXToolbox.

Now the first time I ran this tool it also said the SPF record was missing. Odd, because I followed Google’s instructions to the letter. Seems that perhaps those instructions need an update. Once I removed the @ symbol the SPF record worked fine.

The other thing MXToolbox told me was that my DMARC record was invalid. Now for that case, the sample Google record has some commas in it, but I ran across this page that seems to indicate their should be no commas. Maybe it is allowed between email addresses but I didn’t need two so I removed the comma just to be safe. The other problem was that I forgot to put “mailto:” in front of one of my emails.

After making those two changes, MXToolbox no longer reports errors for SPF or DMARC records. I am getting some other warnings I’ll have to explore later but these may all be out of my control. I can’t change the Google mail banner and I’m not sure about the SOA serial number. Pretty sure that’s up to Amazon to fix? Not sure if these things matter as they are only warnings.

The interesting thing is, even though I failed to add the mailto: I was still getting DMARC reports from Amazon SES related to the email domain I’ve been having problems with. The thing is, I think those errors are related to me sending them email not them sending me email. Also, the DMARC reports show that even though SPF failed, DKIM passed, so DMARC was “successful” — even though some reports below have varying results.

If buymeacoffee.com would implement DMARC it might help with email delivery:

But you can’t use it with the way they are sending support messages through a third party. And that whole scenario is not ideal in my opinion, but it looks like a lot of companies are doing it. I sure hope they did thorough security assessment.

In any case, it seemed like I fixed my problems for the most part. My messages were still sent and received by important parties even with the typos, except for this one vendor. I just wanted to double check a few more sources to make sure this was all good.

Mimecast SPF Record checker

Mimecast also has an SPF record checker:

And a DMARC analyzer. This one is especially helpful because it breaks down and explains each value in your DMARC record:

It showed me the flags I set and some defaulted tags:

Note that Google says they do not support the forensic option. But if the report isn’t coming from Google would you still get it even if you are a Gmail customer? Curious. Perhaps you could send them to an alternate email at some other email host if Google blocks you from receiving them. Something to try later.

Mimecast also has a lovely DKIM analyzer.

Now for this page you have to enter your DKIM Selector.

What’s that? I found he answer on this page:

In my case I sent a message to myself and follwed the instructions. Show the original message. You can do that in google in a web browser like this:

Scroll down to the DKIM portion of the message and according to the article above the DKIM selector is the highlighted portion below starting with s=.

Once gain, I thought I had followed Google’s instructions but let’s revisit them.

Well, Google says that to validate that DKIM is working you need to show original as noted above and check to see if DKIM passed. According to Google it did. Am I using the wrong selector?

What is interesting is the additional DKIM message in this email:

I tried that one at Mimecast also and it didn’t work. I’m not getting DKIM errors from MXToolbox. Hmm.

EasyDMARC

A site called EasyDMARC shows the following.

As for the DMARC issue it’s complaining that I’m using quarantine mode and another issue that I think may be specific to their service.

BIMI

Note that I got a bad score for BIMI above. Someone keeps bugging me about adding BIMI to my blog posts. It involves adding a logo to your emails. Given the number of security problems caused by images in applications I’m skipping that for now. I just see this as additional complication and potentially even a source of problems I don’t need at the moment. However if you are concerned about how your logos show up in emails you can read about it here.

From the page above:

BIMI is an emerging standard and is still in development.

Development. (i.e. not thoroughly tested). Meaning likely it hasn’t been thoroughly pentested or abused either to determine if it has an security flaws or other problems. I’ll wait. But everyone can make their own choice.

Well, that’s it for now. I will do more testing later, but at least I confirmed a few things are working as they should be. I’m not sure about the issue reported by Mimecast yet.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

The best way to support this blog is to sign up for the email list and clap for stories you like. That also helps me determine what stories people like and what to write about more often. Other ways to follow and support are listed below. Thank you!

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
Author: Cybersecurity for Executives in the Age of Cloud
Presentations: Presentations by Teri Radichel
Recognition: SANS Difference Makers Award, AWS Security Hero, IANS Faculty
Certifications: SANS
Education: BA Business, Master of Software Engineering, Master of Infosec
Company: Cloud Penetration Tests, Assessments, Training ~ 2nd Sight Lab
Like this story? Use the options below to help me write more!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Clap
❤️ Referrals
❤️ Medium: Teri Radichel
❤️ Email List: Teri Radichel
❤️ Twitter: @teriradichel
❤️ Mastodon: @[email protected]
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
❤️ Buy a Book: Teri Radichel on Amazon
❤️ Request a penetration test, assessment, or training
 via LinkedIn: Teri Radichel 
❤️ Schedule a consulting call with me through IANS Research

My Cybersecurity Book: Cybersecurity for Executives in the Age of Cloud

Dmarc
Dkim
DNS
Email
Spf
Recommended from ReadMedium