Email is one of the most used applications for Communication today. So how the fluke do you secure it. Well, this is the task I had to go and find out after receiving some potentially very destructive phishing emails, the emails looked so real that if the user did not pick up slight changes in the mail we would have had a hefty price to pay.
There are three Technologies which I found can assist very quickly with this:
- SPF
This Validates the Server Sending the Email
Can improve mail deliverability on Corporate Domains - DKIM
This checks if the mail was tampered with prior to receiving it - DMARC
This is a combination of both SPF and DKIM
Taking a look at DKIM
DKIM (DomainKeys Identified Mail) is designed to detect if a mail has been altered in Transit.
It is Important to note there is two sides to DKIM.
- The Sending Domain adds DKIM (Using a Private Key) to the mail as it leaves the server
- The Receiving Domain can choose what to do with the mail depending on the Verification Result
So how does this work?
As the Sending mail server releases the mail it adds the DKIM Signature to the Message this is specific to each message as the headers and body are different. DKIM is part of the headers but won’t be viewable in the mail itself. When the Receiving mail server then receives the mail it extracts the necessary data from the DKIM Header “D=The Email domain” that singed the message, S=The Selector key. It queries the Sending Domain DNS and try’s and get the Selector key with the Public Key. Once the Key is returned it validates if the Email was Changed or not and gives a Verification code.
The Mail Header
Below is example of how the header looks once it leaves the Sending mail server
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forflukesake.co.za; s=mimecast20181024; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references; bh=A2g3YKFJwkYZXEG+Qjwk8nCpen4EkZYzzMmLFLgE7es=; b=VPW0kvOAQ7Jx9R5bosd3Yy08mr5DLCulLnQJq+eBKV69a+zjLwDYC5Hq4VoEuLFu6b2Eor0d2bRUPWhjqUsZaTQy4bVs3PSCuxlzmVv4qyu+UEttrIiscZDaK0DvcOv5qNoUxrWdpFU6VrDc4w83NBfU6iiqOu5wB5NlCvP3bN0=
Headers Explained
| V | Version | DKIM Standard Version being Used |
| A | Algorithm | the algorithm used to create the hash |
| C | Canonicalization | whether changes to the email like whitespace or line wrapping is allowed |
| S | Selector | selector to query the correct public key from the d value |
| D | selector to query the correct public key from the d value | the domain that signed the message |
| H | Headers | the SMTP headers that are included in the cryptographic hash |
| I | Identity | the identity of the signer, in email address format |
| B | Signature | the cryptographic signature of the headers and email body |
| BH | Message Body | Computed Has for the message Body |
What type of Verification Result are generated?
| Code | Description |
| Pass | Messages Signed, Signatures were acceptable and verification test passed |
| Fail | Message Signed and the signature accepted but failed the verification test |
| None | Message was not signed |
| TempError | Error on Key or DNS Ex. Unable to retrieve the Public Key |
| PermError | Ex. Header is missing from the mail |
How Do You Setup DKIM
To Setup DKIM for your Domain sending is quite easy. You Log onto your CPanel where your DNS is hosted. Within the DNS Section first, check if you do not have and existing DKIM if not add a TXT Record and Populate it with the correct Data. Note you can have multiple DKIM Records and it is recommended not to just change a Record but to rather phase it out over a few weeks by creating side by side Records.
The Data
For all the Information on how the DKIM Records can be populated, you can browse the following link http://www.dkim.org
Create a DNS Record with the Name of the TXT record in the following format:
Selector._domainkey.DomainName
The Value of the TXT Record will be in the Following Format:
V=DKIM1; K=PublicKey Algorithm; P=PublicKey
| Example | ||
| Oct20181105._domainkey.forflukesake.co.za | TXT | “v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQC//w7h8E+KY+HD31NGuuEdONPhEv4tNAYZ 2VBl4SVcp9RAEy9Ik+B4X2Nyoxx6WYNc0bNV5ThNHQbVL MtAcqhM2m+TrQ6rq8xREc/Mz21o/GYAlsiywNh99AWMHlX iulHXJGZbbuR7VzAMU4RXAyCrL6mjnMEg/7jVtGz8co59XQ IDAQAB |
The Above was done via a mail archiving cloud-based server and the private key was auto generated by the archiving server I did not have to setup this up so can unfortunately not show you how to configure the private key side if you are running a local server.
If you need to setup on a local server you can use the below link to generate the keys:
https://dkimcore.org/tools/keys.html
Receiving Mail with DKIM
This is dependent on the exchange server you are running if it accepts DKIM or not. Most Corporate environment should have this in place. This is where you receive the Verification result back and you can choose what to do with mail received. For your public domain like Gmail, you should see a big question mark on any mail that is suspected. This won’t be blocked but a notification will be raised or moved directly to SPAM\JUNK.
An Example would be:
| None | Take No Action |
| Neutral | Take No Action |
| Soft Fail | Accept but check Spam Filtering |
| Hard Fail | Reject |
| PermError | Accept but check Spam Filtering |
| TempError | Accept but check Spam Filtering |
As a Final Note, this does not Encrypt content it only advises when the message content was altered.