Mach 4 Network
on SPF/DKIM/DMARC -by scc April 2018 upd: May 2019
Sender
Policy Framework (SPF)
— email-validation system designed to help detect email spoofing: provides a
mechanism for recipient to determine if an incoming mail is from
a an authorized host for the sending domain.
- whitelist sending
IP and/or account
- recipients can
actively verify via published DNS records
- can easily
be circumvented by spammers, if deployed alone
Characteristics
merely enables the recipient, should he/she so wish, to authenticate
sender according to DNS records
- is no magic bullet
- will not prevent...
anything
- neither solve
the case of credential
hijack
- nor the case of mere spoofing
- offers zero automatic
"protection"—attackers/spammers/phisher can carry on
- allows recipients
to actively assess legitimacy, IF they
choose to, and then flag it as SPAM
- comes with significant downsides
- can potentially cause widespread
false positives (failures)
- trouble can be steady trickle, or incessant, which
- materially impacts business operations
- nature: tedious, unanticipated, convoluted,
counterintuitive
- is but a
component in overall
scheme
- to mitigate
(not eradicate) a specific problem: spoofing
- theoretically
also mitigates credential hijack, BUT
- never effective in real world scenarios
- works along side DKIM and DMARC to build a meaningful defense
- currently still in draft
stage, evolving standards, with implementations adjusting
- is not
ubiquitous, and will never
be
- has yet to achieve meaningful
adoption, let alone critical
mass
- demands cooperative efforts, therefore
- will not magically start working
- rather, requires elaborate setup & coordination,
on the part of each and
every recipient server
- only
feasible at large sites with
- high IT attentiveness
- unfettered admin access
- fully vested authority
- enforced centralized hub
- seamless coordination
- immediate response/reaction
Mach 4 Notes
- adoption status
- as of Jan 1, 2019, 50% of Bravo's tier 1 sites implemented
- all tier 2 & tier 3 sites (very small biz)
rejected
- mostly by default
- a few after evaluation, and even pilot
- pending future revisit of topic
- DMARC draft 30 January 2012 RFC 7489,
to be adopted by IETF
working group (within 5 to 10 yrs)
- 2017
FTC study: 10% of top 569 business with significant online
presence have partial implementation
- unrelated to email hosting, or sending server (common misconception):
- it pertains your Internet domain
- but NOT the Registration, Registrar, Registry
- specifically, it's a matter of DNS Records implementation
& maintenance
- It's up to the recipient side to take actions... or NOT
- once
the records are published, certificates in-place, your recipients can
utilize the (hopefully current) data to determine to pass or not to pass
- your SPF/DKIM/DMARC has no force in stopping anyone from sending spoofed messages
- yes... even with a "full implementation" (level 6)
- @deployment: fee levels (to illustrate the wide-ranging
scale)
- $50~$100 sm biz consultation: cursory assessment, brief
intro, essentially demystification
- $100~$500 sm biz guidance (evaluation or implementation)
- $500~$1000 pilot studies, targeted white papers,
deployment [within Bravo repertoire]
- $1000~5000 for large corporations -joint project
with specialty organizations [beyond BTC]
- $5000~$20000
for multi-nation banking institutes (spearheaded
by IT,
enlisting external consultants/service bureaus, in conjunction with
legal counsel)
- @post-deployment efforts
- on-going active maintenance of SPF records
- mostly reactive
refinement with urgency
- periodically strategy/policy-shift-induced
- to be actually effective at all (vs false sense
of security)
- mandatory ancillary service subscription:
$100-$400 per month!
- significant coordination with major partners (vendors,
clients, etc.)
- react to fluid standards, still not finalized
- unusual situations will trigger failure... impossible to
cover all scenarios
SMB: SOHO 1 or 2 users | very small 3-10 |
small 10-24 | medium 25-50 | large 50-100
SEE ALSO