Understanding Email Infrastructure: SPF, DKIM, DMARC, and SMTP

Email infrastructure involves protocols like SPF, DKIM, DMARC, and SMTP to ensure secure and reliable communication. SMTP is used to transport emails between servers, while MTA acts as the mail transport agent. Understanding these components is crucial for effective email communication and troubleshooting. SMTP codes help in identifying various email server responses, and log snippets provide insights into email transmission details and troubleshooting.

• Email Infrastructure
• SPF
• DKIM
• DMARC
• SMTP

journi Follow

Uploaded on Aug 10, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. UNDERSTANDING EMAIL, SPF, DKIM, AND DMARC

2. SMTP HOW EMAIL GETS FROM HERE TO THERE. TRANSPORT, RELAYS, AND LOGS

3. SMTP (SIMPLE MAIL TRANSPORT PROTOCOL) The protocol used to send Email to or between servers. Can be encrypted or unencrypted. Encryption unsupported (uncommon), StartTls, Require Encryption (opportunistic encryption) Can be anonymous or authenticated Port 25 default port. Port 587, common for authenticated SMTP, especially for Exchange Port 465, deprecated for SSL encrypted transport Port 2525, Alternative port if others are not available

4. MTA (MAIL TRANSPORT AGENT) AND CLIENTS Common to hear in *nix environments, refers to server software that sends or receives Email using SMTP Examples: Postfix, Exim, Exchange Hub Transport, IIS, Sendmail SMTP Clients: Outlook, Eudora, Thunderbird, Powershell, PHP, Telnet Relay (Smarthost), Direct Send Open Relay? SMTP logs and email headers Bulk/Marketing Emailers

7. SMTP CODES 200 SMTP Service Ready 221 Service closing 250 Requested Action taken and completed 550 Mailbox unavailable 551 Recipient mailbox not on server 552 Mailbox does not have enough storage 553 Mailbox name invalid 554 Mailbox disabled

8. LOG SNIPPET 2020-02-20 04:10:10 192.168.2.191 TeraStation SMTPSVC1 AB-SERVER2 192.168.2.15 0 HELO - +TeraStation 250 0 55 16 0 SMTP - - - - 2020-02-20 04:10:10 52.96.88.98 OutboundConnectionResponse SMTPSVC1 AB-SERVER2 - 6619254 - - 220+MN2PR14CA0010.outlook.office365.com+Microsoft+ESMTP+MAIL+Service+ready+at+Thu,+20+Feb+2020+04:10:09++0000 0 0 109 0 16 SMTP - - - - 2020-02-20 04:10:10 192.168.2.191 TeraStation SMTPSVC1 AB-SERVER2 192.168.2.15 0 MAIL - +FROM:<account@company.com> 250 0 47 34 0 SMTP - - - - 2020-02-20 04:10:10 52.96.88.98 OutboundConnectionCommand SMTPSVC1 AB-SERVER2 - 6619254 EHLO - AB-Server2.companyl.local 0 0 4 0 16 SMTP - - - - 2020-02-20 04:10:10 192.168.2.191 TeraStation SMTPSVC1 AB-SERVER2 192.168.2.15 0 RCPT - +TO:<account@company.com> 250 0 35 32 0 SMTP - - - - 2020-02-20 04:10:10 52.96.88.98 OutboundConnectionResponse SMTPSVC1 AB-SERVER2 - 6619254 - - 250-MN2PR14CA0010.outlook.office365.com+Hello+[12.193.203.242] 0 0 62 0 16 SMTP - - - - 2020-02-20 04:10:10 192.168.2.191 TeraStation SMTPSVC1 AB-SERVER2 192.168.2.15 0 DATA - <AB-SERVER2FRaqbC8wS00000064@AB- Server2.comapny.local> 250 0 140 3569 16 SMTP - - - - 2020-02-20 04:10:10 52.96.88.98 OutboundConnectionCommand SMTPSVC1 AB-SERVER2 - 6619254 STARTTLS - - 0 0 8 0 16 SMTP - - - - 2020-02-20 04:10:10 192.168.2.191 TeraStation SMTPSVC1 AB-SERVER2 192.168.2.15 0 QUIT - TeraStation 240 63 76 4 0 SMTP - - - - 2020-02-20 04:10:10 52.96.88.98 OutboundConnectionResponse SMTPSVC1 AB-SERVER2 - 6619254 - - 220+2.0.0+SMTP+server+ready 0 0 27 0 31 SMTP - - - - 2020-02-20 04:10:10 52.96.87.226 OutboundConnectionResponse SMTPSVC1 AB-SERVER2 - 6619254 - - 220+MN2PR05CA0053.outlook.office365.com+Microsoft+ESMTP+MAIL+Service+ready+at+Thu,+20+Feb+2020+04:10:10++0000 0 0 109 0 0 SMTP - - - - 2020-02-20 04:10:10 52.96.87.226 OutboundConnectionCommand SMTPSVC1 AB-SERVER2 - 6619254 EHLO - AB-Server2.company.local 0 0 4 0 0 SMTP - - - - 2020-02-20 04:10:10 52.96.87.226 OutboundConnectionResponse SMTPSVC1 AB-SERVER2 - 6619254 - - 250-MN2PR05CA0053.outlook.office365.com+Hello+[12.193.203.242] 0 0 62 0 15 SMTP - - - - 2020-02-20 04:10:10 52.96.87.226 OutboundConnectionCommand SMTPSVC1 AB-SERVER2 - 6619254 STARTTLS - - 0 0 8 0 15 SMTP - - - - 2020-02-20 04:10:10 52.96.87.226 OutboundConnectionResponse SMTPSVC1 AB-SERVER2 - 6619254 - - 220+2.0.0+SMTP+server+ready 0 0 27 0 31 SMTP - - - - 2020-02-20 04:10:10 52.96.88.114 OutboundConnectionResponse SMTPSVC1 AB-SERVER2 - 6619254 - - 220+MN2PR01CA0049.outlook.office365.com+Microsoft+ESMTP+MAIL+Service+ready+at+Thu,+20+Feb+2020+04:10:10++0000 0 0 109 0 16 SMTP - - - -

9. HEADERS Authentication-Results: ppops.net; Received: from [10.45.33.53] (helo=SmtpCorp) To: account@company.com adultscore=0 spamscore=0 malwarescore=0 bulkscore=0 clxscore=1005 mlxlogscore=851 impostorscore=0 From: "Support" <helpdesk@mspcompany.com> X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 phishscore=0 lowpriorityscore=0 suspectscore=6 mlxscore=0 priorityscore=100 by smtpcorp.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) Date: 30 Oct 2019 17:35:19 -0400 classifier=clx:Deliver adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910300189 spf=pass smtp.mailfrom=bT.1kmmfb0=bqc3jkim24bhxf=0yl0fe@return.smtpcorp.com; (Exim 4.92-S2G) (envelope-from <helpdesk@mspcompany.com>) Content-Type: text/html; charset=us-ascii dkim=pass header.d=smtpcorp.com header.s=a1-4; id 1iPvcf-NaPQdR-MV X-OriginalArrivalTime: 30 Oct 2019 21:35:19.0420 (UTC) dmarc=reject header.from=mspcompany.com Message-ID: <IP-0A0A0131gC81Tbdk00001118@ip-0A0A0131> Received: from a1i580.smtp2go.com (a1i580.smtp2go.com [43.228.186.68]) for account@company.com; Wed, 30 Oct 2019 21:35:21 +0000 FILETIME=[ED611BC0:01D58F69] by mx0b-002d5b01.pphosted.com with ESMTP id 2vxwhxggrt-1 Received: from [10.35.168.242] (helo=na-smtp03) X-Smtpcorp-Track: 1ievc-r_ZCITSE.IkmZ53xIe (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) Feedback-ID: 318306m:318306aCCoxYz:318306siM8bkVk1r by smtpcorp.com with esmtp (Exim 4.92-S2G) X-Report-Abuse: Please forward a copy of this message, including all headers, for <account@company.com>; Wed, 30 Oct 2019 17:35:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; (envelope-from <helpdesk@mspcompany.com>) id 1iPvce-rlZCuT-SE to <abuse-report@smtp2go.com> for account@company.com; Wed, 30 Oct 2019 21:35:21 +0000 d=smtpcorp.com; s=a1-4; h=Feedback-ID:X-Smtpcorp-Track:Message-ID:Subject: X-CLX-Shades: Deliver Received: from ip-0A0A0131 (ip-10-10-3-200.ec2.internal [10.10.3.200]) Content-Transfer-Encoding: Quoted-printable Date:To:From:Reply-To:Sender:List-Unsubscribe; X-CLX-Response: by na-smtp03 (Postfix) with ESMTP id 376CEBC8B8 MIME-Version: 1.0 bh=hW9C8vo4Co7Mk/XMcdRTzbzU1nPTr7DrnvHPQMGU/RQ=; b=QKZGpfGFKLiEE8F5aHwfcHEdoK vcE+PT8MOJWDzvZU/CnbrdqnUsa7CLZeHSQtZ24aIj4xvIdszuehZjE9L/+3k1uAGGPtiGhM4Bh4J Subject: [EXTERNAL] Ticket #494535/Company/Ticketing system emails for <account@company.com>; Wed, 30 Oct 2019 17:27:57 -0400 (EDT) to Company rejected due to DMARC policy HMBkaUQ4z7klPTROkcdkam/cZ51zmSUmN4yQu1yISBtraQfLgLrFlQ9SmhaIzDtGKOwUXiX+D/YOa Received: from ip-0A0A0131 ([127.0.0.1]) by ip-0A0A0131 with Microsoft X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 am8zbz9/Byr6o6msPZHDkajV68gNFvCZgaaVv+7ZswvLM18QYOMBxpqTy4KhWyCGa2dLey/UxT7Tg SMTPSVC(8.5.9600.16384); Wed, 30 Oct 2019 17:35:19 -0400 definitions=2019-10-30_09:2019-10-30,2019-10-30 signatures=0 ShheZqGsAD5M5nURAMF92cAA4g35SZHXak2BR5qDX346ZvwEt2xU+01WEJhON+0qxH8FbAnUoI5nx Ttc0TESw==;

10. SPF Sender Policy Framework DNS TXT record specifying Servers authorized to send email on your behalf ~all Soft fail vs all Hard fail SPF and SPF domain alignment v=spf1 include:spf.protection.outlook.com ip4:31.22.54.67 include:customers.clickdimensions.com a mx include:icpbounce.com all 10 DNS lookups max

11. DKIM DomainKeys Identified Mail Digital Signature with Public/Private key Verifies sender DNS TXT or CNAME entry to publish Public key m1._yourdomain.com | TXT | k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPtW5iwpXVPiH5FzJ7Nrl8USzuY9zqq zjE0D1r04xDN6qwziDnmgcFNNfMewVKN2D1O+2J9N14hRprzByFwfQW76yojh54Xu3uSbQ3JP 0A7k8o8GutRF8zbFUA8n0ZH2y0cIEjMliXY4W4LwPA7m4q0ObmvSjhd63O9d8z1XkUBwIDAQAB s1._domainkey.yourdomain.com. | CNAME | s1.domainkey.uXXX.wlXXX.sendgrid.net Domain Alignment subdomain.yourdomain.com. | CNAME | uXXXXXXX.wlXXX.sendgrid.net em1234.yourdomain.com | MX | mx.sendgrid.net em1234.yourdomain.com | TXT | v=spf1 include:sendgrid.net ~all

12. DMARC Domain-based Message Authentication, Reporting & Conformance DNS Text record Authenticates sender, and provides reporting by XML report v=DMARC1; p=reject; pct=100; rua=mailto:lxf9mzva@ag.dmarcian.com; ruf=mailto:lxf9mzva@fr.dmarcian.com;

14. REFERENCES/RESOURCES https://dmarcian.com https://mxtoolbox.com https://sendgrid.com/docs/ui/account-and-settings/dkim-records/ https://serverfault.com/questions/663087/what-is-the-difference-between- all-and-all-in-a-dns-spf-record