John P Hurst's Ramblings and Interesting Ideas

Any user of eMail has seen a significant quantity of "spam" much of which use a "spoofing system" to bypass obvious filtering. Many security breaches have been enabled by "phishing attacks" in which a message purporting to be from a friendly and known address is trusted.

DKIM and SPF are systems that have been in use for many years that allow for many such messages to be detected as spoofed. Sadly there are many mail systems that are not yet using these simple techniques. My system ALWAYS uses both of these protections when transmitting messages allowing any recipient to be assured that messages claiming to be from me are from me.

All mail transmission systems should use these allowing the recipient to chose whether or not to actually check. If they are not transmitted the recipient is deprived of this choice.

Both SPF and DKIM are relatively simple to understand and can be enabled by any competent IT professional in only a few minutes. Professional sites, such as Google, and my sites, already use them. In the following paragraphs I describe these system by the use of illustrated examples.


SPF

The Sender Policy Framework system creates a DNS (Domain Name System) record for the sender's domain site. Since only the owner of a domain can add DNS records to the DNS system it may be assumed that the SPF record, where existent, was created by the TRUE owner of the domain. The SPF record describes which computers, by IP address, are permitted to send mail on behalf of the domain.

For example, a lookup of the SPF records for JPHURST.com will return: v=spf1 a mx -all . This return value comprises the following sections:

Since any message from me, whether I am in the world at the time is transmitted by my mail server, the address will always be one of these listed.

A recipient of eMail can look to see if the sender's domain has an SPF record in the DNS system. If the sender has been responsible and created such a record then the recipient's mail agent can check its contents. If the IP address from which the message arrives is not listed, then the message is invalid and must be assumed to be spoofed. For example, messages from me will contain in their headers, a lines similar to:
Return-Path: jp@2016.jphurst.com
Received: from mail.another1.tk (another1.tk. [107.191.100.195])

which indicates that the message was transmitted by my mail server at the IP address 107.191.100.195 and appears to be from my domain. As a responsible sender I have created an SPF record as listed above, being v=spf1 a mx -all. A recipient mail agent, such as google, is able to look at this SPF record and see that I have specified that my mail servers, as indicated by the 'mx' in this record as well as my main domain address, as specified by the "a" are valid senders. The mail agent should look for the SPF record associated with the domain in the message, 2016.jphurst.com. A check of A-type record on the DNS system will show that my domain's main address is that same 107.191.100.195 IP address. Therefore the message can be assumed to be valid. It has arrived from a mail server that I have listed as a valid and expected sender. A spammer will not have access to my server and will be unable to send messages from it. He will be unable to set my DNS records, so he is thwarted and his spam and spoofing may be detected.

So, a responsible sender has an SPF record and this can be checked by ANY recipient. Messages from IP addresses that are not specified by the SPF record are KNOWN to be spoofed.

The SPF record format allows for various additional methods of specifying the addresses from which mail may be transmitted. It is not the intent here to define that whole system. My record specified only that my main server, as defined by "a" and my mail servers as specified my "mx" are the ONLY IP addresses that will EVER transit messages from me. Any message with a "RETURN-PATH" of 2016.jphurst.com is must be from one of the IP addresses specified.


DKIM DKIM, Domain Keys Identified Mail, takes this use of the DNS to the next step. It not only allows for the detection of spoofed messages but adds a cost to spammers who own their own domain and so can send messages with valid SPF records. Such messages will not be from "trusted" addresses but could pass SPF checking. Additionally DKIM assures that the sender had access to additional assets belonging to the sender.

Professional eMail agents such as google will always use DKIM.

With DKIM each message, before being transmitted has a DKIM signature added to its header. The signature uses Public Key Infrastructure systems and ensures that the message was transmitted/signed by the owner of the "private key". Each signature is specific to each recipient so a spammer would need to add significant code to sign each separate message.

The DKIM system publishes the sender's signature made using his private key and so any recipient can be certain that the sender of the message had access to the private key.

For example, my DKIM key is published, using DNS, as:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8222mSpFjN2+Z0cfK2JVVk1Uh+hOg9SLljoa205BkouprhE+H4NBzzV+DTdau12W1YmaMF4JDbrFTVCBXVJLMUrY7QsZQF2K6ZtJN92Hpb8drwV5rQPdoiIzgFp4B117/SxyCi92ZyMlQUlZjTzQfIcXWygCNyk4yROJYh/EBcQIDAQAB
It is indexed by
mail._domainkey.jphurst.com
so any responsible mail agent is able to look it up as a DNS, TXT-type record, by prefixing "mail._domainkey." to the domain name to retrieve it. The returned value specifies the type of public key, in this case RSA and the actual key.

All messages from me contain a header similar to:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=2016.jphurst.com; s=mail; t=1465982278; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=To:From:Subject:Date:From; b=opL4E5D3et+CwsgUBUSELH/6m27KC97DtZvNLofbi6wmOScAKNg+62mSk3XYSfOTd phfdsSRsIsCrgriz7jEONDPL+j+c3lcBJhioCmTdYn3fiGK/zjoO26R38NGBxIH6kv efk6TvaY/0i3CSFdDMZvMeW7AzE6jmfVVqIta3Sc=
The recipient's mail client, seeing the DKIM-Signature, requests the DNS record with my public key and is able to ensure that the message was signed by me. My signature, as can be see above, signs the To, From, Subject and Date. If a signature is found to be invalid when checked with my public key then it is known that I did not send the message.

Google for example, when seeing messages from me adds headers:
Authentication-Results: mx.google.com;
dkim=pass header.i=@jphurst.com;
spf=pass (google.com: domain of jp@2016.jphurst.com designates 107.191.100.195 as permitted sender) smtp.mailfrom=jp@2016.jphurst.com
Google and any other responsible mail agent has checked my SPF and DKIM and has a GREAT degree of assurance that the message is from me. Note they see the dkim=pass and spf=pass.


Sadly, there are still irresponsible, incompetent and other mail administrators that do not set their servers to use DKIM and SPF, or even either one.

This article was inspired by a request from a friend who was receiving spoofed mail from one of his friends and wanted a way to detect it. I checked the spoofed and non-spoofed messages and discovered that:

There was therefore no way by which a recipient could EVER tell when a message was spoofed. The use of the ~all (tilde all) in the SPF record specifically told recipients that all senders were valid and there was no signature. While it is true that ~all is defined as "softfail" it specifically indicates that a messages may be accepted from invalid sender. Personally I can see no reason to EVER use this value.

It will be noted that the SPF record did include include:spf.serverdata.net which specifies that the list of IP addresses for valid senders are listed at spf.serverdata.net rather than directly in this record. Checking that SPF record did indeed return the data v=spf1 ip4:64.78.0.0/18 ip4:162.244.196.0/22 ip4:199.193.200.0/21 ip4:206.225.164.0/22 ip4:162.216.192.0/22 ip4:66.119.34.16/28 ip4:205.140.223.32/28 ip4:185.64.212.0/22 ip4:103.211.140.0/23 ip4:69.10.229.0/24" . The "clean" messages were in fact sent from IP address 96.114.154.197 which is not listed either. So, this sender's messages can NEVER be verified. He has an SPF record that says "any sender is valid" this recommendation specified by the ~all (tilde all) is useless since his valid messages are not transmitted by listed addresses. He fails to use DKIM.


Return to my Home Page
Copyright © 2016 JP Hurst - All Rights Reserved