Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Browse by Tags

Tagged Content List
  • Blog Post: Office 365 is expanding its DKIM-signing to our consumer brands plus adding default signatures to enterprise email traffic

    Here at Office365 and Hotmail/outlook.com, we are making some changes with regards to our DKIM-signing in both services. We believe in sender authentication, especially with regards to DKIM, and plan to sign 100% of all email in both services. 1. First, email traffic from our consumer brands will all...
  • Blog Post: Email authentication should work out of the box and we should not rely upon domain owners to do it themselves

    This is going to be a long post. Sorry. I didn’t have time to write a shorter one. Who should be responsible for setting up email authentication records? For years, I have been discussing the virtues of publishing email authentication records including SPF, DKIM, and DMARC. There are plenty of tutorials...
  • Blog Post: The common types of spear phish we see today

    As 2015 draws near to a close, I thought I’d write a blog post about the type of spear phishes we are seeing lately against our customer base. This is not general brand phish like someone spoofing Paypal, but instead a phisher trying to impersonate your domain, for example, if the domain under attack...
  • Blog Post: Exchange Online is rolling out default DKIM-signing to everyone

    If you are a customer of Office 365 (Exchange Online Protection, or EOP), you may have noticed, or will be noticing, that we are adding DKIM signatures to your outgoing email, even if you haven’t explicitly enabled DKIM-signing for your domain (see instructions here: http://blogs.msdn.com/b/tzink/archive...
  • Blog Post: DMARC one year later, and what have we learned?

    It has been one year since I posted that Office 365 now supports inbound DMARC verification . What do we see in terms of how much mail it blocks in production? Well, we’ve learned a lot of things; some of it good, and some of it bad. I took a look at our network-wide statistics yesterday and a total...
  • Blog Post: How Office 365 does automatic DKIM key rotation

    As you can see from one of my other posts , Office 365 now lets you sign your outbound email with DKIM signatures. One of the key differences between how we do it and how almost every other service does it is that instead of requiring the customer to publish the public key in DNS (and we sign with the...
  • Blog Post: Manually hooking up DKIM signing in Office 365

    Here’s how to enable DKIM signing for your domain if it is hosted in Office 365 (Exchange Online Protection). First, for each domain that needs to DKIM sign, you will need to publish two CNAMEs in DNS (not TXT records): Host name: selector1._domainkey Points to address or value: selector1...
  • Blog Post: Combating spoofing

    Three years ago, I wrote a blog post entitled Combating Phishing talking about what Exchange Online Protection (EOP) does to stop phishing messages [1]. Last year, I wrote one of my most popular blog posts entitled Why does spam and phishing get through Office 365, and what can be done about it? Recently...
  • Blog Post: (Not) Using the Additional Spam Filtering option for SPF hard fail to block apparently internal email spoofing

    Recently, I’ve noticed that sometimes customers in Office 365 will login to the Exchange Admin Center, go to Protection –> Spam Filter –> Advanced Options and enable the Advanced Spam Filtering (ASF) option for “SPF Hard Fail.” T he reason people do this is to stop...
  • Blog Post: What is the best combination for your SPF record, DKIM record, and DMARC record?

    Sometimes [1] people ask me what the best combination of SPF record is if they publish a DMARC record and DKIM record? How should we best present spoofing using authentication records that we publish in DNS? Here’s what I think. First, a domain should publish an SPF Hard Fail in its SPF record if they...
  • Blog Post: Podcast episode 6 – Facebook’s new PGP feature is nice, but…

    Description A couple of weeks ago, Facebook released support for PGP, and that's great. Facebook is a leader in the security space as they support SPF, DKIM, DMARC, and opportunistic TLS for email; https for standard browsing; and a Tor site for users who need secrecy. And now, they've added PGP support...
  • Blog Post: A fourth option for solving the problem of DMARC’s incompatibility with mailing lists – Part 3

    We’ve looked at three options for solving the problem of mailing lists who have problems delivering email for domains that publish p=reject. None of the solutions are great. What else is there? 4. Play around with the From: address, or maybe even the Sender: and Reply-To: fields, to make it not fail...
  • Blog Post: Three options for solving the problem of DMARC’s incompatibility with mailing lists – Part 2

    How can we solve the problem of mailing lists breaking DMARC? 1. Don’t let anyone with a DMARC record of p=reject join the mailing list One solution is to moderate who joins the mailing list. Domains that you think will fail DMARC cannot sign up. This is the worst solution. First, it excludes a large...
  • Blog Post: Solving the problem of DMARC’s incompatibility with mailing lists – Part 1

    One of the problems that the email filtering community still hasn’t solved with regards to DMARC is how to deal with the problem of mailing lists. You know, mailing lists. Those are those things that you subscribe to about a certain topic that contains a bunch of other people. When you email the list...
  • Blog Post: What is DMARC BestGuessPass in Office 365?

    If you’re a customer of Office 365, you know that you’ve been protected by DMARC for the past several months. But you may have a question if you look at the email headers. What is this dmarc=bestguesspass that is sometimes seen in the Authentication-Results headers? Maybe something like this: From: Joe...
  • Blog Post: How to align with SPF and DMARC for your domain if you use a lot of 3rd parties to send email as you

    Background One of the pieces of advice I frequently give these days to organizations is for domains to set up DMARC records, and implement a hard fail in their SPF record. This is straightforward for smaller organizations that know all of their email servers, but harder for large organizations. Why?...
  • Blog Post: Best Practices for Exchange Online Protection customers to align with DMARC

    Background Spammers frequently forge the "From" address on email messages so the spam appears to come from a familiar sender such as your bank or social network, or more dangerously, from your own organization so that it looks like an internal sender. To help prevent this abuse, Exchange Online...
  • Blog Post: Cyber thieves stealing from businesses and how DMARC can help

    I read an article yesterday entitled Cyber thieves stole $215 million from businesses using hacked email addresses . How did they do it? Here’s a key except: Here's a nightmare scenario: You're working in the accounts department, when you receive an email from your boss, asking that you urgently wire...
  • Blog Post: An update on DKIM-on-IPv4 and DMARC in Office 365

    If you’re wondering when Office 365 is going to release inbound validation for DKIM-on-IPv4 and DMARC support, I have an update for you. We are currently evaluating DKIM-on-IPv4 everywhere in the service but are fixing the remaining bugs Today, we stamp the DKIM results in a temporary header, X-DkimResult...
  • Blog Post: Microsoft.com now publishes an SPF Hard Fail in its SPF record

    This past Monday evening, Microsoft corporation for the domain microsoft.com changed its SPF record from soft fail to hard fail. There are many ways that receivers can use SPF hard fail – some mark it as spam outright, some use it as a heavy weight in their spam filter, some use it as a light weight...
  • Blog Post: Supporting email over IPv6, part 1 – An introduction

    One of the important projects I have been working on for the past few months is supporting email over IPv6. Long time readers of this blog (all four of you) will remember that last year I wrote a series of posts on email over IPv6: Part 1 – Introduction Part 2 – Why we can’t use IP blocklists in IPv6...
  • Blog Post: How to setup your DMARC records if you are outsourcing some, or all, of your email – Part 2

    Continuing on in our series on authenticating outsourced email, how do we outsource our email such that we also pass a DMARC check? First , decide if you want DMARC to pass via an SPF check or a DKIM validation, or both. Second , delegate a subdomain for the 3rd party to send email “as your...
  • Blog Post: How to setup DMARC records if you are outsourcing some, or all, of your email – Part 1

    In my previous posts, I discussed how to set up your SPF, SenderID, and DKIM records if you are an organization that outsources some of its email to a 3rd party, such as advertising. For example, an airline might send out its flight confirmations from its own email servers and infrastructure, but contract...
  • Blog Post: How to set up your DKIM records if you are outsourcing some, or all, of your email and still build your reputation

    In my previous post, I described how you can set up DKIM records if you are outsourcing your advertising email to a 3rd party. In summary: You don’t have to do anything. However, this comes at the cost of not being able to generate your own domain-reputation. You may care about generating...
  • Blog Post: How to set up your DKIM records if you are outsourcing some, or all, of your email

    In my last two posts on outsourcing your email, I explained how to set up your SPF records if you are outsourcing your advertising email, and how to set up your SenderID records if you are outsourcing it. Next up is how to set up your DomainKeys Identified Mail, or DKIM, records if you are outsourcing...
Page 1 of 3 (72 items) 123