How to enable SPF (or similar) on my domain

ewal · 22 Mar 2016, 07:20 PM

Looking for clues as to how I can enable SPF (sender policy framework) on my own domain please? The domain's MX records point to Fastmail.

I have had a few instances where I have apparently sent myself an email with an attachment. In all cases the sending IP is obviously external. The latest is from an IP address that belongs to BSNL.IN (a broadband provider in India).

I assume that enabling SPF on my domain will help mitigate against such attacks? Both incoming to me and emails that are sent elsewhere using my domain name?

Or is there something better than SPF that I should think about?

thanks
Edward

janusz · 22 Mar 2016, 08:32 PM

Quote:

Originally Posted by ewal

I assume that enabling SPF on my domain will help mitigate against such attacks?

Sort of.... It will not prevent anybody sending emails pretending to be from you. It may increase the chance of such messages being marked as spam at the receiving end. AFAIK no email service marks messages with failed SPF as "hard spam"; at best a kind of "X-warning-spf-failed' header is added, or the spam score (slightly) increased.

ewal · 22 Mar 2016, 11:02 PM

Quote:

Originally Posted by janusz

Sort of.... It will not prevent anybody sending emails pretending to be from you. It may increase the chance of such messages being marked as spam at the receiving end. AFAIK no email service marks messages with failed SPF as "hard spam"; at best a kind of "X-warning-spf-failed' header is added, or the spam score (slightly) increased.

Thanks. Fully understood.

Do you know how I would go about implementing it within Fastmail?

Edward

unlocktheinbox · 23 Mar 2016, 02:27 AM

SPF records are done in DNS - You can use this SPF Wizard to generate the TXT record for you.

You can also set up DMARC - Fastmail doesn't take action on incoming messages (They haven't made a decision on this yet, but I believe they plan to implement policy action soon), but it will prevent other people from getting that same attachment in yahoo, gmail, etc that looks like its coming from you.

Once you have everything set up - Test to make sure it's working, send emails to

check-auth@verifier.port25.com
mailtest@unlocktheinbox.com

For an auto-response of your authentication.

ewal · 23 Mar 2016, 04:39 AM

Hmm, this is going over my head somewhat. I'll need to dedicate sometime trying to get a handle on this. Maybe I will hop over to your site for further help?

Very impressed with your website and how the wizard works.

On DMARC, am I understanding this correctly, implementing it will give me a periodic report of some kind giving me details of misuse of my domains? Very useful if it does and anyway if it stops my domain name being used as a sender to mail services providers such as gmail, yahoo that would be great.

Within fastmail domain settings there are various screens saying that SPF and DKIM is not set up correctly, with MX records set up correctly. However, for all my domains, the full zone is held elsewhere (zoneedit for 2 domains and namecheap for another). Maybe I have to have the full zone at Fastmail (so as to set TXT records?).

Edward

unlocktheinbox · 23 Mar 2016, 06:56 AM

Quote:

On DMARC, am I understanding this correctly, implementing it will give me a periodic report of some kind giving me details of misuse of my domains? Very useful if it does and anyway if it stops my domain name being used as a sender to mail services providers such as gmail, yahoo that would be great.

Yes, Gmail and Yahoo both process Dmarc and you'll get a ton of reports from a lot of other domains too.

There are a few tools that parse the reports:

https://dmarcian.com/
https://www.dmarcanalyzer.com/

To make it easier to understand.

Quote:

Maybe I have to have the full zone at Fastmail (so as to set TXT records?).

I don't think that's the case, but I'm not a FM guru.

jhollington · 24 Mar 2016, 12:50 AM

Quote:

Originally Posted by unlocktheinbox

Quote:

Originally Posted by ewal

Maybe I have to have the full zone at Fastmail (so as to set TXT records?).

I don't think that's the case, but I'm not a FM guru.

Definitely not the case. I host my DNS at EasyDNS and everything works fine for the most part. As long as your DNS provider lets you set TXT records (as any half-decent one should), you can setup the records anywhere. DNS is DNS at the end of the day.

The only advantage to hosting your DNS zone at FastMail is that they'll automatically provision some of the records for you, but you can find out what they're supposed to look like just by going into your Domain settings in the new FastMail settings interface and clicking the "Show DNS Settings" link near the top, above the "Domain Security" heading.

ewal · 24 Mar 2016, 01:05 AM

Many thanks jhollington. Good to know. I really ought to consolidate where I have my zones and learn more on txt records.

I specifically did not set my zones at fastmail due to the perceived risk of having everything in one basket but perhaps that risk is overblown.

But yes I saw the recommended txt settings in Fastmail domain settings so it seems like a simple copy/paste job to where I have the zones.

The website that unlockinthebox has looks very good as well in that it has wizards to set up numerous settings (including Dmarc which looks like it could have lots of positive benefits).

Just need some time to do a deep dive.

For now I have simply 'turned off' the addresses that were used in my domain to send garbage with the simple expedient of pointing mail to itself.

Edward

jhollington · 24 Mar 2016, 06:03 AM

Quote:

Originally Posted by ewal

I specifically did not set my zones at fastmail due to the perceived risk of having everything in one basket but perhaps that risk is overblown.

Well, I guess it sort of depends on how mission-critical email is, and what else you use your domain name for.

If FastMail were to go down, you lose access to your email while it's down, and your MX records. It's low-risk, as I'm not aware of any major outages, but if your DNS MX records are hosted elsewhere, at least you can point them to another provider and still receive your email there. This assumes of course you even have another provider available that can handle custom domains — unless you're keeping an extra one setup, the time it would take to not only change the MX records but sign up for another email service makes this a somewhat more impractical point.

Of course, if your DNS is also used for a website or other non-mail related services that don't point to FastMail, then obviously there's a benefit to keeping it separate in that case as well.

For me, the main reason I've kept my DNS on EasyDNS is that I prefer to use DNSSEC to secure my primary domain name, and FastMail doesn't offer that service yet. Plus, EasyDNS is already my DNS registrar, so the incremental cost of having them provide hosting is minor (in fact, it's zero if I only want basic DNS hosting).

As for DMARC and SPF et al, I've just taken the time over the years to understand how the records work and what the various fields mean — it's not overly complicated, and I prefer to just craft the records myself and know exactly what they're doing.

ewal · 1 Apr 2016, 08:09 PM

Well I managed to find some time to look at this.

For one of my domains, with zone held at zoneedit/easydns, I have published both SPF and DKIM records. Fastmail reports these records as being properly configured. For a domain I have at namecheap I have published an SPF record but for reasons that are unclear to me so far the DKIM record does not seem to be public (even though it sticks within the namecheap dashboard).

Anyway, focussing on the domain that I have at zoneedit/easydns, I tested it using the validators:

check-auth@verifier.port25.com
mailtest@unlocktheinbox.com

For unlocktheinbox I get 15 'warnings' and 4 'criticals' but can't really work out which is which (output is not very user friendly). with port25.com I get:

Quote:

SPF check: pass
DomainKeys check: neutral
DKIM check: permerror
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham

So other than the DKIM check all looks ok. For the permerror on DKIM check the narrative is 'public key missing'.

Not sure how to fix this error. Is it something that Fastmail have to do on their side? Fastmail, within the domains section of settings, is reporting that both SPF and DKIM are properly configured.

Once I fix this error (assuming I need to) I will then attempt to implement DMARC for this domain. Once I have it correct for this doamin I will then copy everything to my main domain (the one I'm having Joe Job problems with).

Edward

unlocktheinbox · 1 Apr 2016, 11:48 PM

I sent you the full report without anything blocked out.

ewal · 2 Apr 2016, 12:45 AM

Wow, that is very kind of you. I was wandering why I had an extra email without me prompting it. Anyway thanks (and also thanks for not displaying the domain name here).

Since my last post I added relevant DMARC txt entries (using your DMARC tool as the wizard. Real easy to understand btw!).

I had a look at the failures (3 seen, but 5 'criticals' mentioned in the summary?).

Anyway the first relates to SOA records not found at zoneedit. Not sure if this will impact my SPF/DKIM/DMARC settings?

The second fail relates to the Smartermail DKIM test failing but not the Limilabs Test. According to your KB this may be a bug. Where do I go from here? How can I check if Fastmail is signing my email correctly?

The third relates to DMARC and the DKIM fail so if I fix the first this one will pass I assume.

By the way do you know why when I search on my zone (using the various tools out there) I only see the SPF TXT record but do not see the DKIM and DMARC records? Why are they being filtered out?

How would I go about testing my settings and in particular sending emails with spoof sender details so as to get DMARC reporting?

Thanks for your time btw.

Edward

unlocktheinbox · 2 Apr 2016, 03:00 AM

Anything in red is considered a critical - A few of them are from the DNS Hostname Mismatch, which I think is out of your control. It's something that MessageEngine should address.

The DKIM is one - Notice that I use three different DKIM testers, since your email is signed multiple times. Spam Assassin just looks for a passing entry, Limilab's just passes the first one it finds. Smartermail evaluates all of them. So based who you're mailing, determines if it's going to fail or not.

It's good to evaluate your email at different places, as you seen Port 25 evaluated each DKIM separately.

You're DMARC passes, because it only has to pass the ADKIM or ASPF test, It doesn't have to pass both.

I can see your DKIM and DMARC records, It think it depends on prorogation. I link to the records in report, so you should see them come up, if they don't just change the drop down to a different DNS provider and re-query.

ewal · 2 Apr 2016, 07:11 AM

Thanks again for your most helpful input on this.

So to conclude (on interim basis), I will wait for some reports (from hopefully both RUA and RUF) and assuming nothing terrible found there I'm good to go on my main domain. I will essentially use same settings as the one I did today.

As to hostname mismatches and SOA errors (and other criticals mentioned) I don't see what else I can do so will just have to wait (hope?) that the responsible players will correct things. But my main target of getting SPF/DKIM/DMARC implemented is done (I believe).

Edward

unlocktheinbox · 2 Apr 2016, 07:56 AM

You still need to get that 1 DKIM Signature fixed that's failing.

22 Mar 2016, 07:20 PM	#1
ewal Master of the @ Join Date: Apr 2002 Location: West Sussex, UK Posts: 1,334	How to enable SPF (or similar) on my domain Looking for clues as to how I can enable SPF (sender policy framework) on my own domain please? The domain's MX records point to Fastmail. I have had a few instances where I have apparently sent myself an email with an attachment. In all cases the sending IP is obviously external. The latest is from an IP address that belongs to BSNL.IN (a broadband provider in India). I assume that enabling SPF on my domain will help mitigate against such attacks? Both incoming to me and emails that are sent elsewhere using my domain name? Or is there something better than SPF that I should think about? thanks Edward

23 Mar 2016, 02:27 AM	#4
unlocktheinbox Member Join Date: Feb 2016 Posts: 47	SPF records are done in DNS - You can use this SPF Wizard to generate the TXT record for you. You can also set up DMARC - Fastmail doesn't take action on incoming messages (They haven't made a decision on this yet, but I believe they plan to implement policy action soon), but it will prevent other people from getting that same attachment in yahoo, gmail, etc that looks like its coming from you. Once you have everything set up - Test to make sure it's working, send emails to check-auth@verifier.port25.com mailtest@unlocktheinbox.com For an auto-response of your authentication.

23 Mar 2016, 04:39 AM	#5
ewal Master of the @ Join Date: Apr 2002 Location: West Sussex, UK Posts: 1,334	Hmm, this is going over my head somewhat. I'll need to dedicate sometime trying to get a handle on this. Maybe I will hop over to your site for further help? Very impressed with your website and how the wizard works. On DMARC, am I understanding this correctly, implementing it will give me a periodic report of some kind giving me details of misuse of my domains? Very useful if it does and anyway if it stops my domain name being used as a sender to mail services providers such as gmail, yahoo that would be great. Within fastmail domain settings there are various screens saying that SPF and DKIM is not set up correctly, with MX records set up correctly. However, for all my domains, the full zone is held elsewhere (zoneedit for 2 domains and namecheap for another). Maybe I have to have the full zone at Fastmail (so as to set TXT records?). Edward

24 Mar 2016, 01:05 AM	#8
ewal Master of the @ Join Date: Apr 2002 Location: West Sussex, UK Posts: 1,334	Many thanks jhollington. Good to know. I really ought to consolidate where I have my zones and learn more on txt records. I specifically did not set my zones at fastmail due to the perceived risk of having everything in one basket but perhaps that risk is overblown. But yes I saw the recommended txt settings in Fastmail domain settings so it seems like a simple copy/paste job to where I have the zones. The website that unlockinthebox has looks very good as well in that it has wizards to set up numerous settings (including Dmarc which looks like it could have lots of positive benefits). Just need some time to do a deep dive. For now I have simply 'turned off' the addresses that were used in my domain to send garbage with the simple expedient of pointing mail to itself. Edward

1 Apr 2016, 11:48 PM	#11
unlocktheinbox Member Join Date: Feb 2016 Posts: 47	I sent you the full report without anything blocked out.

2 Apr 2016, 12:45 AM	#12
ewal Master of the @ Join Date: Apr 2002 Location: West Sussex, UK Posts: 1,334	Wow, that is very kind of you. I was wandering why I had an extra email without me prompting it. Anyway thanks (and also thanks for not displaying the domain name here). Since my last post I added relevant DMARC txt entries (using your DMARC tool as the wizard. Real easy to understand btw!). I had a look at the failures (3 seen, but 5 'criticals' mentioned in the summary?). Anyway the first relates to SOA records not found at zoneedit. Not sure if this will impact my SPF/DKIM/DMARC settings? The second fail relates to the Smartermail DKIM test failing but not the Limilabs Test. According to your KB this may be a bug. Where do I go from here? How can I check if Fastmail is signing my email correctly? The third relates to DMARC and the DKIM fail so if I fix the first this one will pass I assume. By the way do you know why when I search on my zone (using the various tools out there) I only see the SPF TXT record but do not see the DKIM and DMARC records? Why are they being filtered out? How would I go about testing my settings and in particular sending emails with spoof sender details so as to get DMARC reporting? Thanks for your time btw. Edward

2 Apr 2016, 03:00 AM	#13
unlocktheinbox Member Join Date: Feb 2016 Posts: 47	Anything in red is considered a critical - A few of them are from the DNS Hostname Mismatch, which I think is out of your control. It's something that MessageEngine should address. The DKIM is one - Notice that I use three different DKIM testers, since your email is signed multiple times. Spam Assassin just looks for a passing entry, Limilab's just passes the first one it finds. Smartermail evaluates all of them. So based who you're mailing, determines if it's going to fail or not. It's good to evaluate your email at different places, as you seen Port 25 evaluated each DKIM separately. You're DMARC passes, because it only has to pass the ADKIM or ASPF test, It doesn't have to pass both. I can see your DKIM and DMARC records, It think it depends on prorogation. I link to the records in report, so you should see them come up, if they don't just change the drop down to a different DNS provider and re-query.

2 Apr 2016, 07:11 AM	#14
ewal Master of the @ Join Date: Apr 2002 Location: West Sussex, UK Posts: 1,334	Thanks again for your most helpful input on this. So to conclude (on interim basis), I will wait for some reports (from hopefully both RUA and RUF) and assuming nothing terrible found there I'm good to go on my main domain. I will essentially use same settings as the one I did today. As to hostname mismatches and SOA errors (and other criticals mentioned) I don't see what else I can do so will just have to wait (hope?) that the responsible players will correct things. But my main target of getting SPF/DKIM/DMARC implemented is done (I believe). Edward

2 Apr 2016, 07:56 AM	#15
unlocktheinbox Member Join Date: Feb 2016 Posts: 47	You still need to get that 1 DKIM Signature fixed that's failing.