E-mail Authentication

Introduction:

We all send Email on our day to day life, We send mails from our Email client (Outlook, Thunderbird ) or from a Web interface (From browser), the mails gets transferred to the recipient.

The question is, how secure is our message transfer. What is happening at the background. How the messages that we send are validated and secured from being modified. The emails are validated through the process Email Authentication.

How Email Works:

email server

Email Authentication:

Email authentication is a collection to validate the MTAs who participated in transferring message. It is used to validate the whether the email originated from a legitimated domain. Email authentication is used to prevent Email Spoofing and Phishing and the mail lands in the Inbox.

Note:

Email spoofing is the creation of email messages with a forged sender address.

Email Phishing is an attempt to obtain our sensitive information’s line Bank details Username and Password.

Email Authentication uses many techniques, we will see the mostly used methods, SPF, DKIM and DMARC . The core email protocols do not have any mechanism for authentication, it is common for spam and phishing emails to use such spoofing to mislead the recipient about the origin of the message. So we use these authentication methods.

SPF (Sender Policy Framework):

SPF checks whether the Senders IP Address is a valid one.

The IP address is validated by the TCP, because TCP is the one which establishes the connection to the recipient by checking whether the recipient is reachable. The MX receives the HELO command once the connection to the recipient is established and receives the bounce back address which contains the domain name. T he SPF verifier queries the Domain Name System (DNS) for an SPF record labeled with that name, declaring which IP addresses are, or are not, authorized to use the domain name on the label. The verifier then finds the record’s directive that matches the IP address of the sending MTA, and returns the associated result. It can be "pass", "fail", or some intermediate result.

The client sends this HELO command to the SMTP server to identify itself and initiate the SMTP conversation

SPF Record is added as a TXT Record.

SPF Syntax:

  • "v=spf1 a mx -all"
  • v= spf1 – Version of SPF
  • a = A Record of the domain or a:hostname.domain.com
  • mx = The incoming mail servers (MX) also can send mail 
  • -all = all other than this are not allowed to send mails

DKIM (DomainKeys Identified Mail):

DKIM authenticates parts of the message content.

The message contents are verified by using digital signatures. The keys for the signature are passed through DNS, by this the message gets associated to the domain.

DKIM lets a domain associate its name with an email message by affixing a digital signature to it. Verification is carried out using the signer’s public key published in the DNS. A valid signature guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.

DKIM Record is added as s TXT Record.

DKIM Syntax:

Generated DKIM will have the syntax as " selector._domainKey.domain.com " _domainkey is a fixed keyword

Syntax of DKIM from received mail :From Show original.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=domainname.com; s=selector_name;

h=x-originating-ip:content-type:mime-version:message-id:reply-to

:date:subject:cc:to:from;

bh=ruP14aVtmQY/mUQAqH1BSup7XtwhoPt1OiRHNUV1M0E=; b=g2vJb5y4LXJsah369LHSPJu6XQh2c5fVm+YfCmxx3lYoiPYlQKWHr/VQKBiPNwF+m AZo1jdLacLIwK37OUQm7s+iYYiDtSThSy1gh4pYnFitf6NBpDW3Y/SMHdmQkeWw8z fVSkiViaggE/4SVtGpmvc0zoQMrslHiIENA3hXZe0Gqo1LomMaVdOSrgYWg/lKU23 AR3WA3gFFMPiaWN4xlvIBQojzP0rx9B4DlJAPjevxb46zvRLFCG8e6C4Eeuu7Ikly 1/EGTV7vpk5dCtVeHk/59xiLWvSy/mjAcQH6OSDNQLI9OyB1WTYjLWvNyWHmnUqXx OqLcqS5ywv5miqI6w

  • v = Version
  • a = algorithm
  • d = Domain name
  • s = Selector (DKIM Selector)
  • bh,b = Hash value
  • h = list of signed header fields
  • TXT record will be verified as " selector_name._domainKey. domainname.com "

DMARC (Domain-based Message Authentication, Reporting & Conformance):

DMARC is used to validate the Email.

DMARC is built on top of SPF and  DKIM. It allows the administrative owner of a domain to publish a policy on which mechanism (DKIM, SPF or both) is employed when sending email from that domain and how the receiver should deal with failures.

Additionally, it provides a reporting mechanism of actions performed under those policies.

DMARC Record is added as s TXT Record.

DMARC Syntax:

  • _dmarc.domain.com
  • "v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@domain.com"
  • v = Version
  • p = Policy (What the receiver must do when validation fails), It is of 3 types
  • Quarantine , Reject and None.
  • rua=mailto = Mail ID which receives the notification.