2. Martijn van Geffen – Http://www.tech-savvy.nl
7/10/2019 3:32 AM
How to run a DMARC project and Brand name security to provide identification, validation & GAIN insight REPORTs for domain owners
Martijn van Geffen –
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. The following topics will be discussed in this deck
7/10/2019 3:32 AM
The following topics will be discussed in this deck
Why start a DMARC project
Attack vectors?
Implementation phases as domain owner
Implement monitoring mode
Implement quarantine mode
Implement Reject mode
Implementation phases as mail receiver
Technical best practices
Although this document outlines the steps to a full implementation, a design will need to be created to define how the technical implementation will be done and how to monitor this
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Why START a DMARC Project
7/10/2019 3:32 AM
Why START a DMARC Project
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Why START a DMARC Project
7/10/2019 3:32 AM
Why START a DMARC Project
Protect employees & customers:
Control:
Protect company from brand name reputational damage
Gain insight into numbers, size and targets
Gain control over trusted 3rd party delegation
Protect employees and customers from Phishing attacks
Make your domains less appealing for malicious intent
Protect employees and customers from Data theft
Protect employees and customers from impersonation
Office 365 tags unauthenticated mail as junk
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. $4.0m 81% >300K 87% “Cyber security is a CEO issue.”
7/10/2019
“Cyber security is a CEO issue.”
-McKinsey
CYBER THREATS ARE A MATERIAL RISK TO YOUR BUSINESS
is the average cost of a data breach per incident.
of breaches involve weak or stolen passwords.
$4.0m
81%
new malware samples are created and spread every day.
>300K
of senior managers have admitted to accidentally leaking business data.
87%
Sources: McKinsey, Ponemon Institute, Verizon, Microsoft
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

7. Phishing is on the rise…
7/10/2019 3:32 AM
Phishing is on the rise…
>$5B
>255K
>600
>800M
Potential loss via Business compromise since 2013
Unique phish attacks in 2016
Unique brands attacked
Phish mails seen in Q2 & Q3 2017
Source:IC3 report, APWG, Microsoft
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Protect company from brand name reputational damage
Malicious persons might attempt to do reputational damage to your corporation impersonating your company

9. Protect employees and customers from Phishing attacks
Malicious persons might attempt to steal credentials from your employees impersonating internal departments

10. Protect employees and customers from Data theft
Malicious persons might attempt to steal data from your employees impersonating colleges

11. Gain Insight into numbers, size and targets
DMARC will provide you with the data to generate reports of mail that is failing your SPF and DKIM policy. Exposing domain abuse and misconfigured 3rd party’s mail delegation

12. Gain Control over trusted 3rd party email delegation
How do you control a 3rd party sending on behalf of your company.
How do you control your company`s projects asking a 3rd party to send on your behalf.
DMARC will give you the insight of projects attempting to launch a new trusted 3rd party sender and DMARC / SPF / DKIM will allow you to stay in control at end of a contract.

13. Make your domains less appealing for malicious persons
Your company has a world wide trusted brand name. This makes it appealing for malicious persons as trust with the target victim is already in place. A malicious person will try to find the largest publicly known domain with least defenses. Increasing defenses will decrease attack vectors and numbers.

14. Implementation phases as domain owner
7/10/2019 3:32 AM
Implementation phases as domain owner
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Implementation phases as domain owner
7/10/2019 3:32 AM
Implementation phases as domain owner
Monitor
Evaluate
Quarantine
Reject
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Implementing the monitor phase
Start simple by only monitor the domain and classify abuse and trusted senders.
Actions:
Create functional mailbox for reports
Register DNS record SPF (if none is present)
“v=SPF ?all”
Register DMARC record (if none is present)
v=DMARC1; p=none;
Implement monitor records
Create reports
Identify threads VS trusted senders
Update SPF records

17. Create Reports from data received
Within 48 hours first reports will be received. ( at least 35 days is needed before a preliminary report can be made )
Actions:
Use a Free tool or script to generate a report based on failed DKIM and failed SPF. (Available from tech-savvy) OR
Outsource DMARC reporting to a 3rd party
Implement monitor records
Create reports
Identify threads VS trusted senders
Update SPF records

18. Identify threads VS trusted senders
Use the report to identify trusted senders
Actions:
Start with the highest volume count of failed SPF senders.
Validate if the sender is a known trusted sender
Optional: If it is a trusted sender, identify responsible contact of both your company and the 3rd party. This is needed in phase 2 & 3 of implementation
Implement monitor records
Create reports
Identify threads VS trusted senders
Update SPF records

19. Update SPF monitor records
Update DNS records for trusted party`s
Actions:
For each identified trusted party update your record to include their mail servers in your SPF record. Migrating 3rd party`s to subdomain is preferred and can be done at a later stage.
Do not use include if the 3rd party also has an include. ( monitoring is needed for changes if using include. Risk of including 4th party, its better to use A, MX or IP4 )
Implement monitor records
Create reports
Identify threads VS trusted senders
Update SPF records

20. Implement monitor phase - Evaluation
7/10/2019 3:32 AM
Implement monitor phase - Evaluation
Monitor
Evaluate
Quarantine
Reject
Review the implementation cost and benefits. If the goal was to gain inside of the domain senders and domain abuse your implementation is finished. Do note timely iterations of the monitoring cycle are needed to maintain the implementation. If the goal is to do a full implementation and protecting the brand name you should start phases quarantine and reject.
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. Implement Quarantine phase
7/10/2019 3:32 AM
Implement Quarantine phase
Monitor
Evaluate
Quarantine
Reject
In this phase the implementation will be slowly set to advice receivers to quarantine mail that not validates the SPF, DKIM and DMARC checks. DKIM protocol will be implemented Optional: DNS sec will be implemented
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. Optional Implement DNSSEC
Implement Quarantine phase
Implement DKIM
Ramp up to 100% quarantine
Optional Implement DNSSEC

23. Optional Implement DNSSEC
Implement Domain Keys Identified Mail
Implement DKIM
Ramp up to 100% quarantine
Optional Implement DNSSEC
DKIM will be implemented to harden the solution as this brings cryptographic authentication and validation. DKIM is part of the DMARC validations.
To Implement DKIM a sender will need to start signing the mail with a certificate and send the public key to the domain owner. The domain owner publishes this key in DNS so receiver can read the key and validate the signing.
Actions:
Validate that all sending mail servers in the SPF record are capable of DKIM signing
Send out instructions to all 3rd party's to start signing with DKIM using the provided selector
Implement DMARC signing at your own MTA`s
Monitor DMARC reports for implementation readiness

24. Optional Implement DNSSEC
Implement Domain Keys Identified Mail
Implement DKIM
Ramp up to 100% quarantine
Optional Implement DNSSEC
At start of this phase you should be confident that the SPF record is solid and no 3rd party senders are missing. Monitoring and formal procedures are in place to secure a 3rd party migration. Creating DMARC reports and analyzing should be a formiliar process.
To ramp up to 100% quarantine you will need to change the SPF record to have a “-all” at the end. This is a big bang change. The impact should be low as you have DMARC report to know what will start to fail SPF check.
Next at intervals you can increase the quarantine for DMARC with any step between 0 and 100 %
Actions:
Change the SPF record to “-all” and include a “exp” tag.
Change DMARC record to start quarantine mode with incremental percentages ( pct=10 ) till you reach 100%

25. Optional Implement DNSSEC
Implement DKIM
Ramp up to 100% quarantine
Optional Implement DNSSEC
All your domains are now protected with SPF, DKIM and DMARC. But a protection is only as strong as the weakest link. All data and policy's for your protection are dependent on the DNS system. Hardening DNS with DNSSEC is recommended.
Actions:
Implement DNSSEC on your DNS zones.

26. Implement Quarantine phase - Evaluate
7/10/2019 3:32 AM
Implement Quarantine phase - Evaluate
Monitor
Evaluate
Quarantine
Reject
After quarantine phase you should evaluate the implementation and review the design. Start procedures on how to implement new domains and 3rd party's. Start procedures on application onboarding to engage mail team implementing DMARC right from the start.
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. Implement reject phase
7/10/2019 3:32 AM
Implement reject phase
Monitor
Evaluate
Quarantine
Reject
In the reject phase domains will be set to reject if DMARC fails All the domains will be hardened protecting sub brands
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. Accepted Email domains
Implement reject phase
Your advise is still set to quarantine, mail might still be accepted by receivers.
As your confidence grows about the mail being quarantined is malicious or unwanted you can switch to reject. This will advice receivers to immediately drop if DMARC fails without the need for further inspection.
Actions:
Change DMARC records to reject ( p=reject )
Accepted domains
Brand names
Any other domain

29. Accepted Email domains
Protect brand names
While the domains have been protected from spoofing attempts the next level is to protect non- domains used by brand names. As these domains don’t sent out mail registering a reject record will protect the domains.
Actions:
Implement SPF on root domain ( v=SPF –ALL EXP:expdomain)
Implement wildcard SPF on sub domains ( v=SPF –ALL EXP:expdomain)
Implement DMARC on root domain (v=DMARC1; p=reject; )
Accepted domains
Brand names
Any other domain

30. Accepted Email domains
Protect any other domain
Register and protect domains that might be perceived as your brand and protect them from abuse ( EAI ) . As these domains don’t sent out mail registering the domain and create the DNS reject record will protect these domains and their original domain.
Examples: contoso.nI ( last letter is i instead of L ) xn--cntoso-3wa.com.eu ( EAI puny code for còntoso.eu)
Actions:
Register DNS domains that look like your Brand domains
Implement DMARC on root domain (v=DMARC1; p=reject; )
Implement SPF Wildcard & SPF records on root domain ( v=SPF –ALL EXP:expdomain)
Implement wildcard SPF & SPF on sub domains ( v=SPF –ALL EXP:expdomain)
Accepted domains
Brand names
Any other domain

31. Implement reject phase - evaluate
7/10/2019 3:32 AM
Implement reject phase - evaluate
Monitor
Evaluate
Quarantine
Reject
All domains , brands and subdomains have been protected Monitor you DMARC reports for abuse against any domain or brand name Keep educating your end users
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32. Implementation phases as Mail receiver
7/10/2019 3:32 AM
Implementation phases as Mail receiver
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33. Implementation phases as mail receiver
7/10/2019 3:32 AM
Implementation phases as mail receiver
Identify edge MTA capability`s
Enable SPF, DKIM and DMARC validation checks
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34. Identify edge mta capabilities
7/10/2019 3:32 AM
Identify edge mta capabilities
To apply the SPF, DKIM, DMARC policy`s to inbound the edge Mail Transport Agent has to support the protocols. These protocols can only be enabled on edge MTA`s.
Actions:
Identify all edge MTA`s and verify if their brand supports SPF, DKIM and DMARC scanning.
If needed upgrade the MTA to the latest version to support the latest DMARC releases.
If needed import modules to enable the protocol scanning agents.
Identify edge MTA capability`s
Enable SPF, DKIM and DMARC validation checks
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35. Enable SPF, DKIM and DMARC validation checks
7/10/2019 3:32 AM
Enable SPF, DKIM and DMARC validation checks
As the domain owner is in control of the SPF, DKIM and DMARC records it is always the domain owner's responsibility to publish the correct policy and it’s a best practice to follow that advice. Due to this enabling the protocols is very low risk and can be done at the same time.
Actions:
Enable the protocols on your edge MTA`s
If needed Configure them to follow the domain owners advise
Do not enable DMARC RUF report sending unless your infrastructure can handle the load and you want to participate in troubleshoot other domain owners implementations.
Identify edge MTA capability`s
Enable SPF, DKIM and DMARC validation checks
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36. Technical Best practices
7/10/2019 3:32 AM
Technical Best practices
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37. SPF best practices Optimization:
7/10/2019 3:32 AM
SPF best practices
Optimization:
Make use of the SPF sequence lookup. Set your most used servers at the front of the SPF record.
Split your own servers from 3rd party servers by using “include”. This way other party’s can include your servers
Use redirect and include when your servers are responsible for many (sub)domains.
No brainers:
List a server only Once, having servers listed multiple times in different includes only bloats your record. remember SPF evaluation stops at the first match.
Only list outbound servers that send mail out.
Test your SPF records before you implement them.
Make sure the MTA that is doing the SPF check is not behind a NAT device.
Inform your marketing department and application departments. Specially marketing tents to host advertising campaigns via 3rd party mass mail solutions.
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38. SPF best practices SPF <-> DMARC conflicts:
7/10/2019 3:32 AM
SPF best practices
SPF <-> DMARC conflicts:
DMARC uses Boolean validation , SPF “?” and “~” equal “-” for DMARC.
Increased protection:
Harden your security by combining SPF with DKIM.
Use DNS SEC to harden your DNS system that is publishing the public keys.
Publish null SPF records for your domains that don’t send mail. “v=spf1 -all”
Common mistakes and Dont’s:
Use a “all” mechanism with a redirect modifier.
Many administrator think they have protected their domain when they use “~all”.
Do not use “Include” and have it pointed to an empty Record.
Do not change you record to use “include” or “redirect” when the record it points to does not yet exist. First create / change the record in the include. Do not enable SPF check on an MTA that is not on your edge mail infrastructure.
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39. 7/10/2019 3:32 AM
DKIM best practices
Use certificates with a key strength of 1024 or 2048 bit. smaller keys are subjected to security risks.
Do not use 4096 bit certificates. the size of the key does not fit in a 512-byte DNS UDP response packet.
keep the selectors unique and don’t reuse them.
Using a part of the date in the selector name makes it easy to identify for example the date the certificate will expire ( example: mycert ). Now you can query DNS for expiration date instead of investigating the certificates themselves.
Separate your MTA’s selectors from 3rd party servers using different certificates and selectors. This way YOU stay in control of what a 3rd party signs on your behalf.
Use DNS SEC to harden your DNS system that is publishing the public keys.
DKIM is better considered to be a  transport security mechanism than a anti phishing mechanism if used solo. You should combine it with SPF and DMARC.
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40. 7/10/2019 3:32 AM
DNS best practices
Use DNS SEC to harden your DNS system that is publishing the public keys.
Your TXT records should not exceed 512 byte UDP size (roughly 450 characters).
Common mistakes and Don’ts:
Your TXT records on the same domain are NOT multiple records. (this is the same reason as there are only 13 root dns servers)
EAI Guidance:
Look at Tech-savvy.nl EAI post for more details
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41. DMARC best practices Make an architectural design.
7/10/2019 3:32 AM
DMARC best practices
Make an architectural design.
Use both SPF and DKIM.
Use DMARC authorization record when RUA address does not equal the domain.
Do not enable RUF. When needed consult legal ( GDPR / PII data )
Common mistakes and Don’ts:
DMARC needs SPF and DKIM to succeed.
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.