Internet Standards. Sam Silberman, Constant Contact

Similar documents
Curbing Threats & Spear Phishing The Promise & Results with DMARC

DomainKeys Identified Mail (DKIM) Murray Kucherawy The Trusted Domain Project

Protect Outbound Mail with DMARC

Protect your brand from phishing s by implementing DMARC 1

Introduction to the DANE Protocol

Security - DMARC ed Encryption

Versions Addressed: Microsoft Exchange 2003 Document Updated: March 25, 2015 Co nfidential Copyright 2015 Smarsh, Inc. All rights reserved.

How to Build an Effective Mail Server Defense

BITS SECURITY TOOLKIT:

DANE Secured Demonstration. Wes Hardaker Parsons

Exim4U. Server Solution For Unix And Linux Systems

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Dell SonicWALL Hosted Security. Administration Guide

Spear Phishing. October 12, 2015 TLP: WHITE.

Exchange Online Protection In-Depth

DMARC and your.bank Domain. September 2015 v

Features by Version. MDaemon Messaging Server Feature Guide. Alt-N Technologies

DomainKeys Identified Mail DKIM authenticates senders, message content

A New Way For ers To Defend Themselves Against Fraud

Reliable & Secure . Professional, Dependable, Complete Easy to Learn, Use and Grow

Anti-Phishing Best Practices for ISPs and Mailbox Providers

One year of DANE Tales and Lessons Learned. sys4.de

The What, Why, and How of Authentication

Objective This howto demonstrates and explains the different mechanisms for fending off unwanted spam .

MDaemon Vs. Microsoft Exchange Server 2013 Standard

SESA Securing with Cisco Security Appliance Parts 1 and 2

AntiSpam. Administrator Guide and Spam Manager Deployment Guide

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

DMARC. How. is Saving . The New Authentication Standard Putting an End to Abuse

This user guide provides guidelines and recommendations for setting up your business s domain authentication to improve your deliverability rating.

DKIM last chance for mail service? TFMC2 01/2006

Next Steps In Accelerating DNSSEC Deployment

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

Trust in Begins with Authentication

s and anti-spam Page 1

DMA s Authentication Requirement: FAQs and Best Practices

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

IronPort Authentication

Marketing Glossary of Terms

Issue 2EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Be up against the UTM Dedicated Content Security solutions from Cisco

Tutorial Details Product Demonstrated: X-301 Estimated Completion Time: 15 minutes

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Access Webmail, Collaboration Tools, and Sync Mobile Devices from Anywhere

Migrating to.bank A step-by-step roadmap for migrating to.bank

THE COMPLETE GUIDE TO GOOGLE APPS SECURITY. Building a comprehensive Google Apps security plan

DKIM Enabled Two Factor Authenticated Secure Mail Client

SCORECARD MARKETING. Find Out How Much You Are Really Getting Out of Your Marketing

Migration Project Plan for Cisco Cloud Security

THE DMARC GUIDE. Understanding DMARC for Securing

DRAFT NIST Special Publication Trustworthy

Protecting Your Zimbra Collaboration Environment. Zimbra Security and Privacy White Paper

Authentication Policy and Deployment Strategy for Financial Services Firms

Proxies. Chapter 4. Network & Security Gildas Avoine

Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Delivery Security

Message Authentication Signature Standards (MASS) BOF. Jim Fenton Nathaniel Borenstein

provides several new features and enhancements, and resolves several issues reported by WatchGuard customers.

Hosted Security 2.0 Quick Start Guide

How s are sent from Xero

Deploying DNSSEC: From End-Customer To Content

Microsoft Exchange 2003

How To Ensure Your Is Delivered

Spam, Spam and More Spam. Spammers: Cost to send

DANE for SMTP. Viktor Dukhovni & Wes Hardaker. IETF 87, Berlin July 2013

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

WHITEPAPER. SendGrid Deliverability Guide V2. Everything You Need to Know About Delivering through Your Web Application

Eloqua Enhanced Branding and Deliverability More s to the inbox means more opportunities and revenue.

DomainKeys Identified Mail (DKIM): Using Digital Signatures for Domain Verification

Guardian Digital Secure Mail Suite Quick Start Guide

Configuration Information

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015

Marketer s Field Guide to Gmail, Outlook.com, and Yahoo!

How To Secure Mail Delivery

Security. Raj Jain. Washington University in St. Louis

Comprehensive Filtering. Whitepaper

Clearswift Information Governance

Top 10 Features: Clearswift SECURE Gateway

security

Transcription:

Internet Standards Sam Silberman, Constant Contact

What are Standards?

World without Standards

We live in a connected world

Topics DMARC (Indirect flows) Security/Privacy TLS over SMTP End-to-end encryption SMTP over IPv6 Activities in the IETF APPSAWG

How does DMARC work? Organization publishes a DMARC policy on their domain P=none Participating ISPs sends the organization authentication and forensic reports Organization audits their outbound sending practices Centralizes outbound mail DKIM signs all outbound mail Publishes/updates SPF Repeat Only after exhaustive analysis, organization can enable DMARC p=reject

Who should enable DMARC? Large organizations who s brand (domain name) is used as part of a phishing scam. Banks (Bank of America, Amex) Popular brands (PayPal, Ebay, Amazon) Government agencies (IRS)

Who should not use DMARC? When individuals within the org need to send mail via indirect flows Mailing lists ESPs Proxy/forwarders Any organization where the mailbox owner requires to send mail via Indirect flows. Mailbox service providers (ISPs) Large corporations (no brand risk)

Proposed Mitigations Customer use non-dmarc hosted mailbox Proxy FROM address (Address re-write) FROM Sam sam+yahoo.com@ccsend.net Reply-To: sam@yahoo.com Obtain permission to DKIM sign on behalf of ISP AOL.COM CS.COM AIM.COM Relay through domain owner s SMTP server

Proposed Mitigations "Delegating DKIM Signing Authority draft-kucherawy-dkim-delegate-01 (work in progress), June 2014. "DKIM Conditional Signatures draft-levine-dkim-conditional-00 (work in progress), June 2014. "A List-safe Canonicalization for DomainKeys Identified Mail (DKIM) draft-kucherawy-dkim-list-canon-00 (work in progress), June 2014. "Recognized Transformations of Messages Bearing DomainKeys Identified Mail (DKIM) Signatures draft-kucherawy-dkim-transform-00 (work in progress), April 2015. "Third-Party Authorization Label draft-otis-tpa-label-00 (work in progress), May 2014. Reference: https://datatracker.ietf.org/doc/draft-ietf-dmarc-interoperability/

Security/Privacy Session (point to point) encryption TLS End-to-end encryption

Security/Privacy The DNS Based Authentication of Named Entities (DANE) Session (point to point) encryption TLS DANE Opportunistic TLS SMTP security via opportunistic DANE TLS draft-ietf-dane-smtp-with-dane-16 DANE published keys TLS Protocol using TLSA record in DNS RFC 6698 (was draft-ietf-dane-protocol)

Security/Privacy End to End Encryption Dane Using DANE to Associate OpenPGP public keys with email addresses draft-ietf-dane-openpgpkey-03 Using Secure DNS to Associate Certificates with Domain Names For S/MIME draft-ietf-dane-smime-08

Security/Privacy End to End Encryption De facto standards (browser plug-ins) Google Yahoo https://github.com/google/end-to-end/wiki https://github.com/yahoo/end-to-end

SMTP over IPv6 SMTP IPv6 to IPv4 Fallback http://tools.ietf.org/html/draft-martin-smtp-ipv6-toipv4-fallback-01 Required authentication (best practice) Linkedin position https://engineering.linkedin.com/email/sending-andreceiving-emails-over-ipv6 Google s position https://support.google.com/mail/answer/81126?p=ipv6_auth entication_error&rd=1#authentication

Activities in the IETF APPSAWG Message Disposition Notification (updates for gateways and I18n) http://datatracker.ietf.org/doc/draft-ietf-appsawg-mdn-3798bis/ Message Header Field for Indicating Message Authentication Status draft-ietf-appsawg-rfc7001bis-07 Email Authentication Status Codes (SPF AND DKIM) RFC 7372 (was draft-ietf-appsawg-email-auth-codes)

Next Steps Get Involved DMARC Speak up about indirect flows Propose solutions SMTP Encryption Implement Opportunistic TLS

Questions? Sam Silberman ssilberman@constantcontact.com @samuelsilberman

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information