Working as a pentester, i often check webshops and well-established brands. I expect them to have some kind of E-Mail-Authentication in place - be it Domain-Keys or an SPF-Record.
Not because I want to make the world a spam-free-place - I believe mail-authentication a worthwile measure against phishing-scams abusing a company-brand. I a company has mail-authentication like SPF in place, almost all spam-filters are able to and will separate legitimate company-mail and newsletters from phishing-scams, that are usually sent via untrusted ip's or without proper DKIM.
I was recently asked how to check this in a realworld-scenario. SPF is fairly easy - just get TXT and SPF-record for the domain in question. DIG is your friend, or just use serversniff's dns-report.
DKIM is more complicated: You need a realworld mail from the customer - be it a newsletter or an errormessage or anything else.
But how to verify SPF-Records and Domain-Key-Sigs?
I found it the easiest to use googlemail for this task - open an email in question, press the small arrow up right (next to the upper "reply") and select "Show Original". GMail will show you the complete Mail-Headers then, including validated SPF- and DKIM-Records. These might look like this:
SPF neutral: Google can't verify an SPF-Record for this mail.
SPF pass by "best guess": There is no SPF-Record, but google was able to verify that the originating machine belongs to the originating domain.
I'm still not sure what google's spamfilter means with these headers, but it seems to be fairly accurate with even detecting a domain in "test-mode".
I'd be happy to hear from any other solution for verifying Mail-Authentication - write a comment or drop me a mail to tom@serversniff.net.
tom
2 comments:
Wow! This could be one particular of the most helpful blogs We’ve ever arrive across on this subject. Basically Magnificent. I’m also a specialist in this topic therefore I can understand your effort.
Vraiment sympa ce site web
voyance mail gratuit directe
Post a Comment