Scribd Logo
Upload

Welcome to Scribd!

  • Esa SPF Dkim Dmarc

    Uploaded by

    luis_omar07
    162 views14 pages
    This document provides recommendations for deploying Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) on a Cisco Email Security Appliance (ESA) to authenticate email. It describes configuring DKIM and DMARC verification profiles, enabling verification in mail flow policies, and creating content filters to handle SPF failures. Implementing these technologies helps stop fraudulent and phishing emails according to the document.

    Original Description:

    Esa Spf Dkim Dmarc

    Original Title

    Esa Spf Dkim Dmarc

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides recommendations for deploying Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) on a Cisco Email Security Appliance (ESA) to authenticate email. It describes configuring DKIM and DMARC verification profiles, enabling verification in mail flow policies, and creating content filters to handle SPF failures. Implementing these technologies helps stop fraudulent and phishing emails according to the document.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    162 views14 pages

    Esa SPF Dkim Dmarc

    Uploaded by

    luis_omar07
    This document provides recommendations for deploying Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) on a Cisco Email Security Appliance (ESA) to authenticate email. It describes configuring DKIM and DMARC verification profiles, enabling verification in mail flow policies, and creating content filters to handle SPF failures. Implementing these technologies helps stop fraudulent and phishing emails according to the document.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 14

    SPF / DKIM / DMARC

    Recommended Deployment

    September 2015
    Version 1.0

    Hrvoje Dogan
    Security Solutions
    Architect

    The most current version of this document can be found here:


    https://cisco.com/go/emailsecurity-customer
    ESA BEST PRACTICES

    PURPOSE OF THIS DOCUMENT

    Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based
    Message Authentication, Reporting and Conformance (DMARC) are three technologies
    most commonly used to stop and detect fraudulent or phishing email. All three are part of
    the basic functionality (Incoming Mail Handling) on the ESA. This Document will show
    how to configure them and propose a simple way to deploy for a small to medium
    enterprise.

    EMAIL AUTHENTICATION IN THE PIPELINE

    Email authentication on the ESA is implemented as a two-step process. Since SPF and
    DKIM do not provide the facility for the sending domain to specify the message handling
    policy, the first step of SPF and DKIM verification occurs in the Incoming phase of
    message processing, right after Recipient Validation. In this step, SPF conformance of
    HELO and MAIL FROM identities is verified, and DKIM signature is processed.
    Results of the processing are stored in Received-SPF and Authentication-Results
    headers respectively. Later on, receiving systems can act on authentication verdicts using
    Content Filters or Message Filters.

    DMARC, on the other hand, provides a facility for the sending domain to specify desired
    message policy. Thus, right after DMARC verification, the desired policy will be applied
    and no further action is necessary on the receiving end.

    Since SPF is only DNS-based, and DMARC uses a combination of DKIM, SPF and DNS,
    the only relevant technology for outgoing mail is DKIM. DKIM signing is done at the very
    end of delivery stage in the pipeline, right before applying the Bounce Profile and
    delivering the message.

    CONFIGURING EMAIL AUTHENTICATION VERIFICATION

    This is the easier part of implementing email authentication. While SPF is simple and
    straightforward, DKIM and DMARC require profile creation. This chapter will provide an
    overview of deployment for Incoming Mail processing.

    2
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    Step 1: DKIM Verification Profile configuration

    Before enabling DKIM verification, you should check the default profile settings and adapt to your
    security requirements. To access it, go to Mail Policies -> Domain Keys / Verification Profiles.

    In general, the default settings should be acceptable for most environments. You might
    want to reject messages for Temporary Failure (e.g. DNS inaccessible for public key
    retrieval), or Permanent Failure. However, at this stage we recommend these messages to
    be accepted, and later tagged or quarantined using a filter.

    Step 2: DMARC Verification Options and Profile configuration

    Unlike DKIM, DMARC settings should be modified for better visibility of reporting
    component. To access DMARC Verification settings, go to Mail Policies -> DMARC

    3
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    In the Global Settings section, you should modify (click on Edit Global Settings) Entity
    Generating Reports and Additional Contact Information for Reports. These should
    contain your domain name, and contact information in case that sender domain will need to
    contact you. By default, ESA will generate an aggregate failure report for DMARC daily at
    midnight. Sending Forensic Reports is currently not supported.

    You should also edit the default DMARC Verification Profile. As all other components of
    the ESA, the default values are set up in a way to never block any traffic, to avoid any
    inadvertent messaging interruptions. However, to properly implement DMARC, messages
    must be blocked or quarantined as per sender domains instructions. Thus, you should
    modify the following in the default DMARC Verification Profile:

    - Reject Policy Message Action: Change to Reject


    - Quarantine Policy Message Action: Change to Quarantine To, and select a policy
    quarantine to use. You may want to quarantine messages that fail DMARC in a
    separate quarantine to do this, create a new quarantine either on the ESA or on the
    SMA first
    - Other settings should be left at default values at this point

    4
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    Step 3: Email Authentication Verification Configuration in the Mail Flow Policies

    Now that our profiles are ready, we can configure verification for all incoming mail. This is
    controlled by the Mail Flow Policies, and the best way to achieve it is to change the Default
    Policy Settings. Go to Mail Policies -> Host Access Table (HAT) / Mail Flow Policies, and
    click on Default Policy Parameters in the bottom.

    Scroll down to Security Features section of the default Mail Flow Policy, and select
    DKIM Verification, SPF/SIDF Verification and DMARC Verification to On. If you
    have created a verification profile other than DEFAULT, make sure to reference that
    profile. Additionally, check the Send aggregate feedback reports box in the DMARC
    configuration. After you submit and commit your changes, the ESA will start verifying
    incoming messages. Take note that if you are using multiple listeners to receive incoming
    email, you will have to do this for every listener. Also, double-check any Mail Flow
    Policies with Accept behavior if they are bypassing the default values for email
    authentication settings.

    You now need to click on the Mail Flow Policies that have the Behavior set to Relay
    and turn Off DKIM Verification, SPF Verification, and DMARC Verification. The Relay
    5
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    Behavior is for Outgoing Mail Flow and we do not want to enable DKIM/SPF/DMARC
    Verification for Outgoing mail.

    Step 4: Filter configuration for SPF and DKIM handling

    As previously mentioned, because there are no explicit instructions on how to handle


    messages that fail SPF and DKIM, this has to be specifically configured using Content
    Filters or Message Filters. This document will provide instructions for Content Filter
    deployment, however Message Filters should be configured analogous to Content Filters.

    There are multiple ways in which a message can pass or fail DKIM or SPF verification. For
    DKIM those are:

    - Pass (message passed signature verification)


    - Neutral (message not signed)
    - Temperror (recoverable error e.g. cant reach DNS to retrieve public key)
    - Permerror (unrecoverable error e.g. the signature references a non-existing key)
    - Hardfail (verification failed)
    - None (authentication not performed e.g. DKIM Verification was off in the Mail
    Flow Policy)

    SPF verification introduces an additional result, softfail. This is due to the fact that when
    specifying the SPF record, domain owners can choose to either hardfail or softfail
    certain messages. In general, these would translate to reject and quarantine policy
    specifications in DMARC, and that is what we will configure in the filters in this section.

    Filter 1: Drop SPF-Failing Messages

    Create an Incoming Content Filter with the SPF Verification condition set to fail. You
    can either reject failing messages by setting the action to Drop, or quarantine them.
    Similar to DMARC verification profile, you may create a specific Policy quarantine to
    keep SPF-failing messages

    6
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    Filter 2: Quarantine SPF-Softfailing Messages

    To handle SPF soft fails, we will create a filter similar to Filter 1 above. In the condition
    check the Softfail option, and for action choose Quarantine as already mentioned,
    configuring a separate quarantine for SPF may come in handy.

    7
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    If you choose to quarantine both Hard and Soft SPF fails, you can combine them in a single
    filter, by checking both Fail and SoftFail check boxes.

    Filter 3: Tag other non-compliant SPF messages

    In general, any messages failing SPF check for any other reason should be accepted and
    tagged in the Subject:

    8
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    9
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    Filter 4: Quarantine DKIM-Failing Messages

    Create a filter using DKIM Authentication rule set to Hardfail, and the action to
    Drop.

    10
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    As with SPF, you can replace the Drop action with Quarantine to a specific quarantine.

    Filter 5: Modification of Filter 3 to include messages unable to pass DKIM verification

    Since handling of SPF and DKIM messages which fail verification due to errors should be
    done in the same way, we can just modify Filter 3 above to include two DKIM verification
    results. Add two additional conditions using DKIM Authentication condition and options
    Temperror and Permerror.

    If you chose to reject messages that produced temporary or permanent failure in the DKIM
    Verification Profile, you do not need to include them in the filter.

    11
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    REPORTING ON MESSAGE AUTHENTICATION


    Reporting on DMARC verification is straightforward Messages rejected by DMARC are
    included in the Overview report, and there is a DMARC-specific report in Monitor -> DMARC
    Verification.

    Unfortunately, there is no direct report for SPF and DKIM verification results. However, since we
    are using Content Filters to handle messages failing SPF and DKIM, we can use Content Filters
    report to view how many times each filter was matched. If you need reporting for DKIM and SPF
    verified messages, you can create an additional content filter looking for them, and setting the
    action to Add Log Entry

    12
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    13
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
    ESA BEST PRACTICES

    14
    2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.

    You might also like