Building a Scalable, Service-Centric Sender Policy Framework (SPF) System

Similar documents
Automatic Delivery Setup Guide

Automatic Delivery Setup Guide

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

An Executive s FAQ About Authentication

IronPort C100 for Small and Medium Businesses

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

building an effective action plan for the Department of Homeland Security

DMARC ADOPTION AMONG

Securing, Protecting, and Managing the Flow of Corporate Communications

Office 365: Secure configuration

Communicator. Branded Sending Domain July Branded Sending Domain

DMARC ADOPTION AMONG e-retailers

The Anti-Impersonation Company. Date: May 2 nd, ValiMail. All Rights Reserved. Confidential and Proprietary.

IronPort X1000 Security System

Getting Started with DMARC A Guide for Federal Agencies Complying with BOD 18-01

TRANSACTIONAL BENCHMARK

Untitled Page. Help Documentation

Authentication GUIDE. Frequently Asked QUES T ION S T OGETHER STRONGER

Delivery to the Big Four: AOL, Google, Microsoft, and Yahoo

MESSAGING SECURITY GATEWAY. Solution overview

Teach Me How: B2B Deliverability in a B2C World

DMARC ADOPTION AMONG e-retailers

Security by Any Other Name:

The dark side of deliverability

HOLIDAY DELIVERABILITY STAY OFF THE NAUGHTY LIST & GET TO THE INBOX HOLIDAY DELIVERABILITY WEBINAR

Handling unwanted . What are the main sources of junk ?

Understanding the Pipeline

Kaspersky Security Network

Technical Brief: DYN DELIVERY

Getting Started with DMARC. A Guide for Federal Agencies Complying with BOD 18-01

McAfee Total Protection for Data Loss Prevention

DMARC ADOPTION AMONG

AKAMAI CLOUD SECURITY SOLUTIONS

Mail Assure Quick Start Guide

On the Surface. Security Datasheet. Security Datasheet

Enterprise Simply Trustworthy?

FRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks

Anti-Spoofing. Inbound SPF Settings

XG Firewall. What s New in v17. Setup, Control Center and Navigation. Initial Setup Wizard. Synchronized App Control Widget.

Deliverability Terms

Microsoft Installing, Configuring, and Administering Microsoft Exchange 2003 Server Implementing &Managing MS Exchange Server 2003

DMARC Continuing to enable trust between brand owners and receivers

A Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01

Mail Assure. Quick Start Guide

to Stay Out of the Spam Folder

Connecting to Mimecast

Symantec Protection Suite Add-On for Hosted Security

BOTNET-GENERATED SPAM

Step 2 - Deploy Advanced Security for Exchange Server

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

A Buyer s Guide to DMARC

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Managing Spam. To access the spam settings in admin panel: 1. Login to the admin panel by entering valid login credentials.

Using Centralized Security Reporting

SPF classic. Przemek Jaroszewski CERT Polska / NASK The 17th TF-CSIRT and FIRST joint Event, Amsterdam, January 2006

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

DHS Automated Information Sharing (AIS) Program

Security Gap Analysis: Aggregrated Results

DNS Management with Blue Cat Networks at PSU

Extract of Summary and Key details of Symantec.cloud Health check Report

You can find more information about the service at

Federal Agency Firewall Management with SolarWinds Network Configuration Manager & Firewall Security Manager. Follow SolarWinds:

SIEM Solutions from McAfee

DDoS MITIGATION BEST PRACTICES

About Us. Overview Integrity Audit Fighting Malicious & Deceptive August 13, 2014

Optimization of your deliverability: set up & best practices. Jonathan Wuurman, ACTITO Evangelist

Digital Messaging Center Feature List

Protecting Your SaaS Investment: Monitoring Office 365 Performance

Putting security first for critical online brand assets. cscdigitalbrand.services

Introduction to Antispam Practices

Marketing 201. March, Craig Stouffer, Pinpointe Marketing (408) x125

Are You Protecting Your & Your Customers? Learnings from the 2017 OTA Trust Audit. August 1, 2017

Machine-Powered Learning for People-Centered Security

Chapter 4. Fundamental Concepts and Models

SMTP Relay set up. Technical team

HOW-TO GUIDE. How to Optimize Your s for Deliverability

Getting into Gmail and other inboxes: A marketer's guide to the toughest spam filters

TECHNICAL WHITE PAPER. Secure messaging in Office 365: Four key considerations

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Ciphermail Webmail Messenger Administration Guide

Trustwave SEG Cloud BEC Fraud Detection Basics

WHITEPAPER Rewrite Services. Power365 Integration Pro

Based on material produced by among others: Sanjay Pol, Ashok Ramaswami, Jim Fenton and Eric Allman

DMARC ADOPTION AMONG

Account Customer Portal Manual

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Simplify PCI Compliance

Office 365 Buyers Guide: Best Practices for Securing Office 365

The data quality trends report

FortiMail Gateway Setup and Configuration Technical Note

SolarWinds Mail Assure

Imperva Incapsula Website Security

Internet Engineering Task Force (IETF) Request for Comments: 6686 Category: Informational July 2012 ISSN:

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

DomainKeys Identified Mail Overview (-01) Eric Allman Sendmail, Inc.

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

Office 365 Integration Guide Software Version 6.7

Security Protection

THE UTILITY OF DNS TRAFFIC MANAGEMENT

Transcription:

Valimail White Paper February 2018 Building a Scalable, Service-Centric Sender Policy Framework (SPF) System

Introduction Sender Policy Framework (SPF) is the protocol by which the owners of a domain can define a set of rules in DNS designating which mail servers can deliver emails originating from that SPF authentication can be crucial to ensuring that an email message is delivered and so the cost of a misconfiguration can be very high. domain. Receiving mail servers evaluate those rules and, based on the IP address of the delivering server, determine whether the message in question is allowed to originate from that domain. First introduced as a standard in 2003, SPF is a critical piece of today s email infrastructure. It is one of two protocols the other being DKIM that are used by all the major ISPs to validate incoming email. And more recent standards, such as Domainbased Message Authentication (DMARC), are built on top of SPF. As such it plays a crucial role in anti-spam and anti-phishing efforts. Until recently the cost of misconfiguring SPF was relatively minor. Email receivers did not weigh SPF heavily in determining whether an email would be delivered to the recipient, or potentially classified as spam. But with the widespread adoption of DMARC and a newfound focus on phishing by Internet Service Providers (ISPs), this situation has changed dramatically. SPF authentication can be crucial to ensuring that an email message is delivered and so the cost of a misconfiguration can be very high. Despite this vital role, properly configuring SPF for a domain can present some significant challenges. This white paper will review these challenges, and discuss a system that enables domain owners to easily and correctly configure SPF. Email Systems Evolve From Self-Hosted to Multiple External Services When SPF was first introduced in 2003, companies typically managed email systems somewhat differently than they do today. While some large organizations still host their own mail servers, smaller organizations have mostly migrated to external services (e.g. Google Apps, Office 365) for mailbox hosting. And as web services have become a more accepted feature of the landscape, even some of these large services have outsourced management of their primary email. Another key change that has occurred over the last decade is the widespread dissemination of responsibility for sending email for a domain. At one time it was reasonable to assume that all of the email sent under a domain originated from one IT infrastructure. In today s cloud-centric world this is no longer a realistic expectation. A company may use any number of services mailing list systems, transactional email, content management systems, hosted e-commerce, accounting, etc. that need to send email from the company s domain. IT may not even know about all of these services - departments can and do configure such services on their own. For example, a small 30-person company might use Google Apps for its mailboxes, SalesForce for CRM, ZenDesk for customer support, Marketo for lead generations, Sendgrid for email originating from the company s web application, and SurveyMonkey for online surveys. Any of these services may need to send email from the company s primary domain or one or more subdomains. Managing the email security requirements for this many services, especially as they change over time, can be a very significant burden on IT. Building a Scalable, Service-Centric Sender Policy Framework (SPF) System 2

Mailing Lists Mailing lists present a significant challenge for SPF. SPF uses the return path address to determine the originating domain for an email. However the return path address serves another important purpose. If there is an error delivering the email message for example, if the email address does not exist then the receiving mail server will send a bounce message to this address. Mailing list operators typically want to shield their members from these bounce messages, as it s not unusual for an email list to generate tens, hundreds, or more bounce messages per email because of invalid addresses on the list. It s also crucial that the list server software identify the email addresses that are generating bounces, so it can remove those addresses from future mailings. SPF authentication has occurred share a common subdomain. Since SRS uses the list s domain for SPF authentication the return path address will never align with the original sender s email address. So even though SPF has nominally passed, it cannot be used for DMARC and the email may be rejected. In practice list servers must rewrite the From email address of the email to pass DMARC. This completely breaks the connection to the sender s original identity and is thus a less than ideal solution. As several large ISPs have switched to DMARC with p=reject (e.g. Yahoo, AOL) this is a serious (and unresolved) issue in the list server community. To address these issues, list servers typically use Sender Rewriting Scheme (SRS) to modify the return path address. As part of this process the domain name in the original return path address is typically replaced with the list s domain, making it impossible to authenticate against the original domain. Historically this has been presented as a benefit, as the list server owner presumably manages the DNS records for the list s domain, and can create an appropriate SPF record on that domain. So it is easy to configure emails sent via the mailing list to pass SPF, even though the original sender domain has no control over the authentication process. With the advent of DMARC, this one time advantage has turned into a liability. DMARC introduces the notion of alignment. Alignment requires that the domain of the email address displayed to the user in the From field and the domain against which Building a Scalable, Service-Centric Sender Policy Framework (SPF) System 3

Forwarding Addresses Forwarding addresses are another category of email system that presents a challenge for traditional SPF If the forwarding system is not explicitly approved under the sender s SPF policy, the SPF authentication of the message is almost certain to fail systems. Forwarding addresses are typically used to redirect emails sent to a public email address to another email address. Some examples of forwarding systems include college alumni lifetime email addresses, email redirects for parked domains, and Facebook user email addresses. Some forwarding systems act like miniature mailing lists they rewrite the original return path using SRS. In this case the use of SPF and DMARC present the same challenges as in the mailing list case. Moreover, rewriting the sender s email address is much less likely to be acceptable for a simple forwarder, so the current solution used by mailing lists is unlikely to be acceptable. In other cases, the return path is left unchanged and the email when the original email is relayed to its final destination. As it is almost certain that the forwarding system is not explicitly approved under the sender s SPF policy, this means that SPF authentication of the message is almost certain to fail. DNS as a Configuration Tool There are significant requirements for the configuration system that underlies a protocol like SPF. The system must be globally available on a 24/7 basis, able to respond to requests in 100s of milliseconds, able to handle traffic at Internet scale, resistant to any kind of local failure, and support the kind of distributed ownership model that underlies SPF. It s hard to think of another system that meets these stringent requirements. That being said DNS has some substantial limitations that present challenges for senders who wish to configure SPF for 10 5 0 SPF DNS LOOKUP their domains. While configuring DNS records may seem simple to those who are familiar with the process, for nontechnical and inexperienced technical users it can be a very intimidating process. Moreover, because so many important systems rely on DNS, it is easy to inadvertently break one or more of these services while modifying the DNS configuration for a domain. Even experienced system administrators usually shy away from making frequent changes to DNS records. Finally, SPF records are configured using DNS TXT records, which are free-form text fields with no validation. So it is very easy to unintentionally introduce an error into a domain s SPF configuration. The error may not be discovered until much later, after email delivery has already been impacted. With all of the above in mind, configuring SPF by editing DNS records can be both challenging and error-prone. A better option is needed. Building a Scalable, Service-Centric Sender Policy Framework (SPF) System 4

The Valimail Solution Today s email security configuration is best thought of in terms of configured services, not internally managed IP addresses and MX records. Companies should be able to easily authorize and de-authorize email services, ideally with the click of a checkbox. These companies should not be subject to arbitrary limitations on the number of services they can use. And it shouldn t be necessary for a company to know anything about the network configuration of the services they use. Traditional SPF implementations fail on all of these counts. Moreover, it is critical that any email authentication solution be compatible with the Internet as it exists today. It needs to work with existing ISPs, mailing lists, forwarders, and email standards without requiring across the board software updates. The current system has remained broken in part because most proposed solutions require large-scale changes to existing software and coordination between many different organizations. Valimail provides a scalable, serviceoriented, easy-to-use SPF service that: Enables authorization and deauthorization of email services with a one-click interface Allows domains to support an arbitrary number of authorized services Enterprise Level Scalability Insulates domain owners from needing to know the underlying details of the services they use Supports mailing lists and forwarders out of the box Works with any existing mail service or ISP that supports SPF Requires no additional explicit coordination with email service providers The Valimail solution is based on a combination of carefully curated data and innovative technology. Valimail has built a comprehensive database of email services, mailing lists, and forwarders. This database, updated in real-time, allows us to recognize known email sources, and to configure message authentication behavior based on the validated source. This data allows domain owners to configure authentication policy at the source level, substantially simplifying configuration. Two new patented technologies: Instant SPF to fix the 10 lookup limit Sender Aligned Return Path are central to the Valimail s SPF solution. These two new technologies - described in depth below - allow Valimail to take SPF to the next level, fixing long-standing issues inherent in traditional SPF configurations. The Valimail solution allows companies to protect their brands from email threats in a way never before possible. It represents a major step forward for email security and brand protection. The Valimail solution allows companies to protect their brands from email threats in a way never before possible. It represents a major step forward for email security and brand protection. Building a Scalable, Service-Centric Sender Policy Framework (SPF) System 5

Instant SPF Technology Every SMTP connection includes two pieces of information an EHLO name and an IP address that can be used to identify the computer system delivering the email. They key insight of Instant SPF Technology is that this information, typically discarded or used only in the evaluation phase of SPF, can be used to radically prune the set of SPF rules (known as directives) that need to be evaluated for a given message. This insight is at the core of Instant SPF Technology. An EHLO name is a fully-qualified domain name (FQDN) that is presented by a mail server during the set up of an SMTP connection. An EHLO name is a fully-qualified domain name (FQDN) that is presented by a mail server during the set up of an SMTP connection. In practice the EHLO name is a subdomain of a domain registered to the organization attempting to send the email. Similarly, IP addresses can be used as a filter to identify the sending organization. IP addresses are allocated by IANA and a few other organizations, and IP addresses are not typically shared between different organizations. The rise of cloud-hosted systems has made IP address allocation somewhat more ambiguous, but in the context of a protocol like SPF that depends on fixed IP address lookup this is not a significant issue. We can take advantage of this identifying information by combining it with the macro feature of SPF. This feature allows the construction of custom domain names by interpolating request-specific values, like the EHLO name and IP address. We can use macros to construct a custom domain name whose SPF rules are subsequently included and evaluated. Valimail s custom DNS system can respond to this custom domain request, extract the identifying information, map this information to the originating service, and return service-specific SPF rules that can be evaluated by the receiver. We have built a unique map of EHLO name and IP address to service through a combination of crawling public information and working directly with third-party email services. This unique data set includes hundreds of services and is the result of thousands of hours of work - all of which benefits each of Valimail s clients. This combination of custom technology and data allows Valimail to resolve many of the outstanding problems with existing SPF systems. Sender Aligned Return Path Sender Aligned Return Path (SARP) is a protocol that allows domain owners to support authentication of mails originating from their domains and delivered via mailing lists and other systems that use Sender Rewriting Scheme (SRS). SARP allows existing mail systems that use SPF and DMARC for validation to authenticate these emails while ensuring that bounce messages are delivered to the intermediate mail server. SARP works by creating a dedicated subdomain of the sender domain for each mailing list or other authorized system using SRS. The sender domain then publishes a special set of DNS records to support this subdomain. One of the DNS records is a response to a structured query that allows the SRS system to discover the dedicated subdomain. The other is a CNAME record that aliases the dedicated subdomain to the list domain. Building a Scalable, Service-Centric Sender Policy Framework (SPF) System 6

With this set of DNS records, the dedicated subdomain is aligned with the sender domain, but inherits the MX and SPF records from the list domain. So if the list server uses this dedicated subdomain in the return path address instead of the list domain, the conflicting requirements described above can be resolved. Bounce messages will be returned to the list server, messages originating from the list server will be SPF authenticated, and that authentication will be aligned for DMARC. Participating mailing list systems need only be modified to look up the dedicated subdomain for the sender domain, and substitute this value for the original return path domain. Valimail is working with list server vendors and open source projects to enable this functionality. Unlike other proposed solutions, this is a relatively minor change to existing functionality that avoids significant behavior changes - such as requiring rewrites for all sender email addresses. Another key point is that when using SARP, the sender domain owner has ultimate control over which systems are permitted to relay messages from the sender domain. A previously authorized system can be de-authorized simply by removing the corresponding DNS records. Finally, the use of DNS records in this fashion allows sender domains to offload this behavior to a third-party provider like Valimail. There is no need for each sender domain owner to maintain a whitelist of approved mailing lists. This substantially reduces the burden on domain owners while preserving traditional list behavior. Conclusion Configuring the Sender Policy Framework for any size company can be difficult, timeconsuming, and error-prone. Valimail s combination of proprietary technology and data makes it easy. Companies can leverage Valimail s expertise and systems to ensure that they are correctly authenticating their legitimate emails, wherever those messages might originate. Valimail makes it easy to selectively enable and disable services, without requiring complex and error-prone manual changes to DNS records. And Valimail s systems allow domain owners to avoid the limitations associated with traditional SPF implementations. About Valimail Valimail provides the first and only truly automated email authentication solution for brand protection and anti-fraud defense. Valimail's patented, standards-compliant technology provides an unrivaled one-click solution for DMARC enforcement to stop phishing attacks, increase deliverability, and protect organizations reputations. Valimail authenticates billions of messages a month for some of the world's biggest companies, in finance, government, transportation, health care, manufacturing, media, technology, and more. Valimail is based in San Francisco. For more information visit www.valimail.com. Building a Scalable, Service-Centric Sender Policy Framework (SPF) System 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback