Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Browse by Tags

Tagged Content List
  • Blog Post: Three options for solving the problem of DMARC’s incompatibility with mailing lists – Part 2

    How can we solve the problem of mailing lists breaking DMARC? 1. Don’t let anyone with a DMARC record of p=reject join the mailing list One solution is to moderate who joins the mailing list. Domains that you think will fail DMARC cannot sign up. This is the worst solution. First, it excludes a large...
  • Blog Post: Solving the problem of DMARC’s incompatibility with mailing lists – Part 1

    One of the problems that the email filtering community still hasn’t solved with regards to DMARC is how to deal with the problem of mailing lists. You know, mailing lists. Those are those things that you subscribe to about a certain topic that contains a bunch of other people. When you email the list...
  • Blog Post: Podcast episode 5 – Email over IPv6

    Description The world is moving to IPv6, and so is email. However, email specialists are not thrilled about the move because of the potential for abuse. If it’s hard enough to stop spam in IPv4 with its limited set of IP addresses, how do we hope to stop it in IPv6 with its virtually unlimited set of...
  • Blog Post: What is DMARC BestGuessPass in Office 365?

    If you’re a customer of Office 365, you know that you’ve been protected by DMARC for the past several months. But you may have a question if you look at the email headers. What is this dmarc=bestguesspass that is sometimes seen in the Authentication-Results headers? Maybe something like this: From: Joe...
  • Blog Post: How to align with SPF and DMARC for your domain if you use a lot of 3rd parties to send email as you

    Background One of the pieces of advice I frequently give these days to organizations is for domains to set up DMARC records, and implement a hard fail in their SPF record. This is straightforward for smaller organizations that know all of their email servers, but harder for large organizations. Why?...
  • Blog Post: Best Practices for Exchange Online Protection customers to align with DMARC

    Background Spammers frequently forge the "From" address on email messages so the spam appears to come from a familiar sender such as your bank or social network, or more dangerously, from your own organization so that it looks like an internal sender. To help prevent this abuse, Exchange Online...
  • Blog Post: Cyber thieves stealing from businesses and how DMARC can help

    I read an article yesterday entitled Cyber thieves stole $215 million from businesses using hacked email addresses . How did they do it? Here’s a key except: Here's a nightmare scenario: You're working in the accounts department, when you receive an email from your boss, asking that you urgently wire...
  • Blog Post: An update on DKIM-on-IPv4 and DMARC in Office 365

    If you’re wondering when Office 365 is going to release inbound validation for DKIM-on-IPv4 and DMARC support, I have an update for you. We are currently evaluating DKIM-on-IPv4 everywhere in the service but are fixing the remaining bugs Today, we stamp the DKIM results in a temporary header, X-DkimResult...
  • Blog Post: Microsoft.com now publishes an SPF Hard Fail in its SPF record

    This past Monday evening, Microsoft corporation for the domain microsoft.com changed its SPF record from soft fail to hard fail. There are many ways that receivers can use SPF hard fail – some mark it as spam outright, some use it as a heavy weight in their spam filter, some use it as a light weight...
  • Blog Post: Supporting email over IPv6, part 1 – An introduction

    One of the important projects I have been working on for the past few months is supporting email over IPv6. Long time readers of this blog (all four of you) will remember that last year I wrote a series of posts on email over IPv6: Part 1 – Introduction Part 2 – Why we can’t use IP blocklists in IPv6...
  • Blog Post: How to setup your DMARC records if you are outsourcing some, or all, of your email – Part 2

    Continuing on in our series on authenticating outsourced email, how do we outsource our email such that we also pass a DMARC check? First , decide if you want DMARC to pass via an SPF check or a DKIM validation, or both. Second , delegate a subdomain for the 3rd party to send email “as your...
  • Blog Post: How to setup DMARC records if you are outsourcing some, or all, of your email – Part 1

    In my previous posts, I discussed how to set up your SPF, SenderID, and DKIM records if you are an organization that outsources some of its email to a 3rd party, such as advertising. For example, an airline might send out its flight confirmations from its own email servers and infrastructure, but contract...
  • Blog Post: How to set up your DKIM records if you are outsourcing some, or all, of your email and still build your reputation

    In my previous post, I described how you can set up DKIM records if you are outsourcing your advertising email to a 3rd party. In summary: You don’t have to do anything. However, this comes at the cost of not being able to generate your own domain-reputation. You may care about generating...
  • Blog Post: How to set up your DKIM records if you are outsourcing some, or all, of your email

    In my last two posts on outsourcing your email, I explained how to set up your SPF records if you are outsourcing your advertising email, and how to set up your SenderID records if you are outsourcing it. Next up is how to set up your DomainKeys Identified Mail, or DKIM, records if you are outsourcing...
  • Blog Post: How to set up your SenderID records if you are outsourcing some, or all, of your email

    In my previous post , I discussed how to structure email such that if it comes from a 3rd party on behalf of you, it will pass an SPF check. But what about passing a SenderID check? To solve this, we first have to remind ourselves what SenderID is. Let’s go back to the previous post where...
  • Blog Post: How to set up your SPF records if you are outsourcing some, or all, of your email

    I thought I would do a few posts on email authentication, specifically, how to ensure that you have good sending reputation and the proper way to set up your SPF records. In future posts, I plan to get into how to set up your DKIM records as well as your DMARC records in the case that you are an organization...
  • Blog Post: Statistics on spoofed mail

    The other day, I decided to investigate some potential efficacy rates of using DMARC.  Would using DMARC result in catching spoofed mail?  Are spoofers abusing certain brands en masse? To check this, I decided to take a look at how much mail we were getting from Paypal, Amazon, Bank of America...
  • Blog Post: New email authentication protocol – DMARC

    Today, a consortium of companies including Google, Microsoft, Facebook and Paypal announced that they were collaborating and coming up with a new protocol known as DMARC – the Domain-based Message Authentication, Reporting and Conformance. What is DMARC? This is very much a summary of DMARC in a nutshell...
  • Blog Post: Should trust be implicit or explicit?

    It sure seems like I am having a lot of debates with my co-worker lately about the nature of mail filtering.  Why do I say this?  Because I had one today.  This one is over the issue of trust. I can’t remember whatever it is we were discussing (I think it was something to do with product...
  • Blog Post: Yahoo now does SPF checks

    Well, what do you know? I don’t know if they have been doing them all along and have only finally decided to expose the result, but I logged into my Yahoo mail the other day and checked out the message headers of a mail in my inbox.  I was surprised to discover that Yahoo is now exposing the Received...
  • Blog Post: Why send spam over TLS?

    In my previous post, I noted that rustock had started sending us a whole pile of spam over the TLS protocol.  The question now is why do it at all?  I mentioned in my post that this is clever behavior and one of my readers posted in a comment “What makes this so clever?” The issue of authentication...
  • Blog Post: Some stats and figures on DKIM and SPF

    Did you ever wonder how many organizations out there are signing their mail with DKIM?  Or how many organizations rely on SPF as a tool to validate their inbound mail? Well, I’ve wondered as well.  DKIM supposedly is getting more popular, but how widespread is it?  Are lots of people using...
  • Blog Post: Yahoo now signs with DKIM

    This went unnoticed by me for a very long time, but I was going through some of my personal mail and I discovered that Yahoo is now signing its outbound mail with DKIM in addition to DomainKeys. Long time readers may remember that about two years ago, I started a series on Sender Authentication and covered...
  • Blog Post: The concept of Safe Senders

    Sometimes an end user wants to flag a specific sender as a safe sender, that is, they always want messages from that user to go to their inbox.  You've probably seen this in some newsletters where they say at the top or bottom of the message to please add them to your address book which will prevent...
  • Blog Post: Response to Trust-based messages

    In my other post in a Q&A excerpt with Dave Crocker by Investor's Business Daily, I'd like to now respond to some of my selected quotes. Crocker: You have to create what I call a trust overlay to the existing e-mail system. Existing senders and receivers can continue to use e-mail as before... All...
Page 1 of 3 (61 items) 123