Fighting email forgery with SPF and DKIM

October 28, 2014

Ajay, an experienced fellow from the Linux User Group of Mauritius several times advocated the importance of authenticating emails through SPF and DKIM. Last Saturday, after the Shellshock presentation it was tossed again while Alex and I were discussing a couple of stuffs regarding spams situation and email security. Alex then referred the facility he got with Mandrillapp to sign his emails. I thought, hey wait, this couldn’t be easier, it’s just awesome. Mandrillapp makes DKIM and SPF just a few clicks away. In fact, while he would apply his settings, Ajay did tests instantly to confirm. Yeah, usually DNS changes would take hours to propagate but magic happens with Cloudflare.

google-apps On my end, I looked for a similar facility available with Google Apps. Yup! it’s been now like 2 years since my emails run on Google Apps. I registered at a time when the service was free and I happen to benefit from that.

First, let’s configure SPF records to work with Google Apps. It’s pretty easy. One needs only to update the DNS records with a TXT entry as follows v=spf1 include:_spf.google.com ~all. That should be all.

dig-spf-hacklog

A quick dig shows it

Next, we need to enable DKIM authentication. It starts by generating a domain key for our domain name. With Google Apps this falls under Google Apps > Gmail > Authenticate email from the Google Admin Console.

google-apps-authenticate

Click Generate new record.

google-apps-generate-record

It will ask for a prefix selector. This can be something that will help in distinguishing different domains. The key will be generated.

google-apps-dkim

From the above example, we can now add a TXT record with record name as gl._domainkey and record value:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDzwSQagFPk9euu2oSz1OI2hRHQKoAtk22e3PoONueatsFoWymrc6p86e45ZXRi1j42stJFeLplAO+fcbEPaJy1HRNIAYOXqhAd8mtZcElzGdB2BWlwSbrQ4Ymi6ObdJfs/ZNIqbklEzX2tBtImuSqkBqTu1orhXeE7wqdnYY3UQIDAQAB

Then click Start authentication.

Email headers from legacy.hacklog.in now shows emails as spf=pass and dkim=pass. For testing purposes I sent an email from legacy.hacklog.in to a Hotmail account. Below are header extracts:

x-store-info:sbevkl2QZR7OXo7WID5ZcdV2tiiWGqTnv73VPHTe3Hb19B+do3vxuD5275A6be0DJSswMRpciV1vmlCoQ9DORyBduQ7yGSw4uiSqd6x9bQSYlw5UHkF++qOFXtzEmCrIW/1fJL2+z8U= Authentication-Results: hotmail.com; spf=pass (sender IP is xxx.xxx.xxx.xxx) smtp.mailfrom=********@legacy.hacklog.in; dkim=pass header.d=legacy.hacklog.in; x-hmca=pass header.id=********@legacy.hacklog.in

I replaced IP addresses with xxx and masked email adds with *** for the sake of fun (^^,)

SPF and DKIM help your emails gain trust and be delivered to the recipient’s inbox. They also thwart email forgery attempts since those would now fail SPF and DKIM. Forged emails would either be rejected or land in the spam-box.