SPF and DMARC

All mail servers should use SPF & DMARC

This article is not a lesson in configuring or implementing SPF or DMARC. It is more about the importance of using these tools to fight spam and other junk mail. There is a link at the bottom for DMARC or SPF Generators. You can also read about fail2ban here.

Today I received, via email for a domain I registered more than 20 years ago, 30 or 40 messages informing me that mail I had sent could not be delivered or was delayed. This is a perfectly normal thing when mail is unable to be delivered. Although… I had not sent anything from that account for months, therefore something was crook and I wanted to know what.

Has my mail server been sending junk mail?

My initial thought was that my SMTP box, located at the back of my house, may have been broadcasting spam all over the world. Such a problem might be caused by a hacked device on my network, or perhaps one of my other servers have some form of malware installed or worse and been remotely hacked. Either way, I was dumbfounded and needed it resolved quickly to ensure my mail server did not get blacklisted.

When I examined the attachments contained within the bounce messages I determined quickly none of the mail had originated from my server. The “From:” field for the undelivered emails was me but it didn’t come from here. Someone was using my email address to blast crap around the internet.

If only the receiving mail servers implemented SPF

SPF (Sender Permitted From) is a mechanism designed to determine whether, or not, a mail server is authorised to send mail for the domain it claims to be from.

The technical specifications for SPF can be found in RCF-7208.

By using SPF the receiving mail server would have known the mail was bogus and ignored the connection.

The SPF process is very simple;

Sender:"Hey there, I have email for you - over"
Receiver: "Roger, who is it from - over"
Sender: "It's for someone@example.com - over"
Receiver quietly checks SPF & DMARC for example.com
Receiver: "Disconnecting, you are being naughty - goodbye!"

Based on the, over simplified, conversation above the receiving mail server would have immediately determined the sender wasn’t authorised and ended the transaction. That would have saved me 10 minutes of my life trying to figure out if my server had been compromised.

A simple SPF record

SPF works through your DNS and requires nothing more than a TXT record. An example record is below;

"v=spf1 a mx a:mail.example.com.com mx:example.com  mx:someotherdomain.com ip4:YOUR_IP_ADDRESS"

This record says a proper MX record must exist and that MX must have appropriate matching A records plus this mail server is authorised to send mail on behalf of the listed domains.

It’s really very simple and can provide you with at least some protection. But sadly many mail providers do not use it; I don’t know if they are lazy or it’s just too hard. Anything we do to fight spam is worth the effort in my opinion.

DMARC is also a good tool to use

DMARC (Domain-based Message Authentication Reporting and Conformance) is an email validation scheme designed to protect your email domain from being used for email spoofing, phishing scams and other cyber-shit. This is what had happened when mail was sent, by someone else, using my email address.

If you are interested in the dirty details of DMARC it is covered by RFC-7489.

The basics are that if mail is sent from an unauthorised server and the receiving server supports DMARC you will be notified of the sending IP Address along with other details.

You can check DMARC records using the “dig” command. For example; my own DMARC record looks like this;

dig @8.8.8.8 TXT _dmarc.wozsites.com.au

; <<>> DiG 9.16.1-Ubuntu <<>> @8.8.8.8 TXT _dmarc.wozsites.com.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60744
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 2fb0f5fd45829bbf0100000062cb92e144a1de3ebb65e590 (good)
;; QUESTION SECTION:
;_dmarc.wozsites.com.au. IN TXT

;; ANSWER SECTION:
_dmarc.wozsites.com.au. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@wozsites.com.au; ruf=mailto:postmaster@wozsites.com.au; fo=1; aspf=r"

;; Query time: 212 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 11 11:02:57 PST 2022
;; MSG SIZE rcvd: 202

In the above example I have used @8.8.8.8 which causes “dig” to request the information from googles name servers.

Run your Mail Server as securely as possible

Sadly we live in a world where scammers & spammers consume much of the worlds internet bandwidth. Gone are the good old days when all SMTP Servers were open relays and we could each feel confident that mail received was for you as well as from someone you know.

Efficiency

Mail providers and ISP’s should put in the effort to ensure the services they provide are as secure as possible. Yes, it is difficult to get everything working properly & securely but we should do everything we can to protect both our users & ourselves.

You must support all the usual TLS, SSL etc. plus always have an appropriate security certificate which is updated regularly. Make certain your DNS records are correct and secure from remote delegation.

Use Spam Block Lists such as Spamhaus or similar so your mail server checks incoming connections against a list of known spammers and reject as necessary.

Implement both SPF & DMARC right away as well as DKIM (DomainKeys Identified Mail). DKIM is another story for another day.

Doing these three things alone will give you a better chance at detecting junk before you accept it and pass onto your users. Then you won’t need to send me emails telling me non-existent messages couldn’t be delivered.

Online Generators

If you’d like to create your own SPF or DMARC record, use the links below which will take you to MX Toolbox which is a great site for helping you with email and other problems.

DMARC Generator

SPF Generator

Good luck.