#NSA warns of North Korean hackers exploiting weak #DMARC #email policies

https://www.bleepingcomputer.com/news/security/nsa-warns-of-north-korean-hackers-exploiting-weak-dmarc-email-policies/

#cybersecurity #NorthKorea #politics

How a receiving mail server should treat messages based on the #SPF and #DKIM results is defined in the #DMARC TXT record:

$ dig +short txt _dmarc.netmeister.org
"v=DMARC1; p=reject; pct=100; aspf=s; adkim=s; rua=mailto:[...]; ruf=mailto:[...]"

https://www.rfc-editor.org/rfc/rfc7489.html

Every so often, I need to chase down some aspect of email validation (#SPF, #DMKIM, #DMARC, ...). This involves a number of #DNS records and queries, but I may forget just which ones. So here's a quick #SMTP/DNS cheatsheet:

After this week's Spring Break, we return in my #SysAdmin class to dive into #SMTP.

We start with an overview of the ecosystem consisting of MUAs, MTAs, MDAs, Access Agents, and tcpdump a simple manual SMTP session over telnet. We then talk about STARTTLS, MTA-STS and #DANE, before diving into #spam defenses, including #SPF, #DKIM, and #DMARC, all with practical examples, tracking lookups and traffic on the sender and receiver.

Video lectures here:
https://youtu.be/Ai8rjqelwsI?si=7_4JnfwHwvFDShx_

#DevOps #SRE

@patrickbenkoetter @lairsdragon @bsi I saw this thread because I follow the #DMARC hashtag. Message forwarding works fine as long as the original message is #DKIM signed and the forwarding service does not tamper with the email. #SPF never works with a forwarded message.

You are right that there are many other ways to impersonate an identity, like display name spoofing, but it does prevent from address spoofing. Good security awareness programs train users to look at the from address when checking for impersonation. There are also free DMARC solutions, like the open source software I wrote.

I wrote a detailed blog post about DMARC here: Demystifying DMARC: A guide to preventing email spoofing

#dmarc