Re: [dmarc-discuss] Neebie Questions about Spoofing Prevention and DMARC implementation

[Roland Turner via dmarc-discuss]

Hi Marc,


Largely echoing others:


  *   This is not a one-week project, you'll be lucky if it's a one-quarter 
project. To get to a steady state you have to (a) work with every 3rd-party 
sender used by every business unit in every country in which the companies do 
business, a non-zero fraction of whom won't [prefer to] speak English and (b) 
establish working procedural changes for all future uses of email worldwide 
that include establishing adequate authentication as part of every 3rd-party 
sender engagement.
  *   Get expert help! There are many pitfalls, you are probably better off 
learning from a consultant with relevant experience than from angry business 
units whose revenues you just disrupted...
  *   Definitely pilot with a few domains. Also take for granted the need to 
set different policies for different domains as you get authentication coverage 
up to an acceptable level at different times for different domains.
  *   Survey the available tools. A small investment of time now will save you 
a lot of lost time and disrupted business later. Dmarcian is good. Agari is 
good. I assume Return Path is good. I have probably offended several people by 
forgetting about other excellent options.
  *   Yes, you can send feedback for many domains to a single domain, but there 
is an access control protocol: the domain receiving all of the feedback has to 
publish specific additional DNS records to authorise 
mail-receivers/feedback-senders to send to an address in that domain (otherwise 
DMARC would provide a DDoS vector). All of the DMARC-feedback-analysis service 
providers provide destination addresses with this already set up, all of the 
large receivers performing DMARC processing will honour this when sending 
feedback.


Good luck!


- Roland


[http://www.trustsphere.com/images/signatures/trustsphere.png]
 Roland Turner | Labs Director
Singapore | M: +65 96700022
roland.tur...@trustsphere.com





From: dmarc-discuss  on behalf of Marc 
Luescher via dmarc-discuss 
Sent: Wednesday, 4 November 2015 19:48
To: dmarc-discuss@dmarc.org
Subject: [dmarc-discuss] Neebie Questions about Spoofing Prevention and DMARC 
implementation


Hi there,

I am new to this mailing list but have the challenging task to implements SPF, 
DKIM and DMARC on Cisco Ironports for two extremely large worldwide companies 
with 100's of
e-mail domains each. To make things more challenging by end of next week as we 
are under heavy spoofing attacks.

So far we have implemented a lot of defensive mail filters on the Ironports to 
validation of domain, friendly names, AV, etc and are tagging all incoming 
e-mails so the end user can more
easily find them in his inbox under the following structure, witrh rules doing 
the work :

Inbox

--Internal
  TO only
  CC

--External
   Primary
   Trusted Partner
   Social (Facebook, Linkedin etc)
   Public (public mailers)
   Newsletters (tagged)
   Potential SPAM


It is my current understanding that the following order of things should be 
followed  :

a) Publish a DMARC record with a domain to collect feedback
b) Deploy SPF for the mail domains
c) Deploy DKIM for the mail domains

d) Monitor SPF, DKIM and DMARC
e) Implement DMARC policy to quarantain and/or reject

It is my plan to start doing this with 1 or maybe 2 domains to get going.

My questions now :

a) does this sound like a good plan ?
b) in regards to dmarc records you need to specify an email adress for replies, 
can this always be the same e-mail for all 100's e-mail domains ?
c) Did i miss something ?

I will be documenting this implementation and am happy to share for interested 
parties as it involved Notes, Outlook, Cloud, ironports and much more.

Thank you

Marc

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Neebie Questions about Spoofing Prevention and DMARC implementation

[Tomki Camp via dmarc-discuss]

Marc, you’ll want to pay attention to a couple other considerations when
working with DMARC on the Cisco-IronPorts.
1. Do not enable policy enforcement on the appliance unless the AsyncOS
version is over 9.6 (or 8.5.7 on the 8.x branch), due to a bug in properly
verifying multiple DKIM signatures.  Otherwise you _will_ have false
positives. 
2. The IronPort DMARC policy reporting implementation does not have a
capability to properly align reported data on UTC 00:00-23:59:59
boundaries*, so you should set the report generation start-time to whatever
equates to UTC-midnight in the system time zone.
3. enforcement of p=quarantine goes into a system-level (not end-user
accessible) storage.  Make certain that’s sized appropriately.

* https://tools.ietf.org/html/rfc7489#section-7.2

—Tomki



From:  dmarc-discuss  on behalf of Marc
Luescher via dmarc-discuss 
Reply-To:  
Date:  Wednesday, November 4, 2015 at 04:48
To:  
Subject:  [dmarc-discuss] Neebie Questions about Spoofing Prevention and
DMARC implementation

> Hi there,
> 
> I am new to this mailing list but have the challenging task to implements SPF,
> DKIM and DMARC on Cisco Ironports for two extremely large worldwide companies
> with 100's of
> e-mail domains each. To make things more challenging by end of next week as we
> are under heavy spoofing attacks.
> 


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Neebie Questions about Spoofing Prevention and DMARC implementation

[Paul Kincaid-Smith via dmarc-discuss]

Hello Marc,

Sorry to hear about your spoofing troubles. The situation sounds urgent and
complex.

My first suggestion would be to set expectations with your management team.
You are embarking on a large project that will unearth email complexities
that are not currently understood or appreciated. The DMARC policies you
put in place to reduce harm from spoofing could also block important
legitimate email sent via 3rd parties. That collateral damage will have a
business impact, and must be anticipated and managed.

When we implemented a DMARC policy at SendGrid, we discovered that some
business units used 3rd party hosted apps that sent mail on our domain's
behalf. Some of those apps (like HR software or ops monitoring services)
sent mail from a broad range of external shared IPs, so we had to find ways
to get them to route our mail differently -- through dedicated IPs that we
could safely add to our SPF record.

For some weeks we'd occasionally discover new sources of legitimate mail
that was being rejected or quarantined, then work with the affected
business unit and their 3rd party tech partner/app to correct the issue.

You asked:

b) in regards to dmarc records you need to specify an email adress for
replies, can this always be the same e-mail for all 100's e-mail domains ?

Yes, you can route your forensic and aggregate DMARC reports to the same
address for all your domains. There are several good 3rd party services
that can consume your DMARC reports.

I suggest you configure your rua and ruf with an internal email address.
That will allow you to archive the raw reports and then forward or relay
the reports to one or more tools or 3rd party services that will consume
the reports and provide you with useful metrics and actionable insights.

Best of luck on your project.

Regards,
Paul Kincaid-Smith

On Nov 4, 2015, at 05:00, Marc Luescher via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

Hi there,

I am new to this mailing list but have the challenging task to implements
SPF, DKIM and DMARC on Cisco Ironports for two extremely large worldwide
companies with 100's of
e-mail domains each. To make things more challenging by end of next week as
we are under heavy spoofing attacks.

So far we have implemented a lot of defensive mail filters on the Ironports
to validation of domain, friendly names, AV, etc and are tagging all
incoming e-mails so the end user can more
easily find them in his inbox under the following structure, witrh rules
doing the work :

Inbox

--Internal
  TO only
  CC

--External
   Primary
   Trusted Partner
   Social (Facebook, Linkedin etc)
   Public (public mailers)
   Newsletters (tagged)
   Potential SPAM


It is my current understanding that the following order of things should be
followed  :

a) Publish a DMARC record with a domain to collect feedback
b) Deploy SPF for the mail domains
c) Deploy DKIM for the mail domains

d) Monitor SPF, DKIM and DMARC
e) Implement DMARC policy to quarantain and/or reject

It is my plan to start doing this with 1 or maybe 2 domains to get going.

My questions now :

a) does this sound like a good plan ?
b) in regards to dmarc records you need to specify an email adress for
replies, can this always be the same e-mail for all 100's e-mail domains ?
c) Did i miss something ?

I will be documenting this implementation and am happy to share for
interested parties as it involved Notes, Outlook, Cloud, ironports and much
more.

Thank you

Marc

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well
terms (http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Neebie Questions about Spoofing Prevention and DMARC implementation

[Chris Meidinger via dmarc-discuss]

> On Nov 4, 2015, at 09:28, Paul Kincaid-Smith via dmarc-discuss 
>  wrote:
> 
> My first suggestion would be to set expectations with your management team. 
> You are embarking on a large project that will unearth email complexities 
> that are not currently understood or appreciated. The DMARC policies you put 
> in place to reduce harm from spoofing could also block important legitimate 
> email sent via 3rd parties.

Great point Paul - shout this from the mountains! The effort is not minor for 
an org with 100s of domains. It will likely take you at least weeks (with 
executive support) to months (if it's a part-time, skunkworks type effort) to 
execute fully.

Chris


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Neebie Questions about Spoofing Prevention and DMARC implementation

[Chris Meidinger via dmarc-discuss]

Hey Marc,

some thoughts inline:


> On Nov 4, 2015, at 06:48, Marc Luescher via dmarc-discuss 
>  wrote:
> 
> It is my current understanding that the following order of things should be 
> followed  :
> 
> a) Publish a DMARC record with a domain to collect feedback
> b) Deploy SPF for the mail domains
> c) Deploy DKIM for the mail domains

Yes, this is how I would recommend approaching things. I don't know if b) and 
c) necessarily have to be serial. I think you can often start with DKIM while 
you're still gathering data for SPF. You definitely want to drive SPF record 
creation based on DMARC feedback data.

> d) Monitor SPF, DKIM and DMARC
> e) Implement DMARC policy to quarantain and/or reject

Agreed. Note that your SPF and DKIM will likely be somewhat iterative until you 
get your pass rates with both high enough to implement DMARC reject. Whether 
you start with quarantine or go directly to reject is up to you. I personally - 
having been in the large scale mail world for 15 years - do not like 
quarantine. If someone rejects a message you, as a sender, know it 
specifically. If a message is mistakenly quarantined you will see it in 
aggregate data but never know which message was sent into nirvana. If your 
customers are in regulated industries this can be particularly painful as a 
reject often triggers alternate delivery (such as via actual paper mail) so 
quarantine may be non-viable in those cases.

> It is my plan to start doing this with 1 or maybe 2 domains to get going.

Yes, this is BCP. Take one or two domains through to completion, rinse and 
repeat with increasingly large buckets of domains until you're done. You will 
also want to think about how to gate future domain acquisition/vendor 
onboarding. Typically this is built into the enterprise sourcing process.

> My questions now :
> 
> a) does this sound like a good plan ?

Yes.

> b) in regards to dmarc records you need to specify an email adress for 
> replies, can this always be the same e-mail for all 100's e-mail domains ?

Yes.  My day job is at a company called Agari whose sole 
business is receiving, aggregating and analyzing DMARC feedback data. Would be 
happy to show you more. 

> c) Did i miss something ?

The only thing that jumps out at me is that you need to remember that the 
SPF/DKIM efforts will have one track for internally sourced email from your 
Ironports and other systems, and a set of parallel tracks while you discover 
which third parties (think newsletter/marketing senders like ET or Marketo, HR 
senders like taleo, transactional email like Sendgrid or Mandrill, etc) your 
organizations use and get SPF and DKIM up on all of them with proper alignment. 
This can often be the lion's share of the work.

> I will be documenting this implementation and am happy to share for 
> interested parties as it involved Notes, Outlook, Cloud, ironports and much 
> more.

I'm not aware of a wiki or centralized spot where this kind of knowledge is 
collected, but I think it would be great to find and/or create one. DMARC.org 
might be a good place to do it, but would have to think it through.

Feel free to reach out if you have any questions on the above or if questions 
come up along the way.

Chris


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)